Snort mailing list archives
Re: what does this mean?
From: Matt Kettler <mkettler () evi-inc com>
Date: Wed, 21 Aug 2002 15:58:14 -0400
It means you have HTTP_SERVERS set to 'any' and the snort sensor false-positived when it saw /rksh as part of a link on a microsoft.com website. (it saw the first part of "/rkshared.js")
Change your HTTP_SERVERS in your snort.conf to only watch your own webservers.. Unless of course you suspect someone inside your network is likely to launch attacks on outside websites.
At 03:22 PM 8/21/2002 -0400, lisa foreman wrote:
[**] WEB-CGI rksh access [**] 08/21-15:16:12.241065 0:6:5B:CD:F1:44 -> 0:0:C:E:39:55 type:0x800 len:0x1E6 165.x.x.x:1205 -> 207.46.230.220:80 TCP TTL:128 TOS:0x0 ID:17900 IpLen:20 DgmLen:472 DF ***AP*** Seq: 0x9F726659 Ack: 0x2634031F Win: 0x40B0 TcpLen: 20 47 45 54 20 2F 77 69 6E 64 6F 77 73 32 30 30 30 GET /windows2000 2F 74 65 63 68 69 6E 66 6F 2F 72 65 73 6B 69 74 /techinfo/reskit 2F 65 6E 2F 49 6E 74 77 6F 72 6B 2F 72 6B 73 68 /en/Intwork/rksh 61 72 65 64 2E 6A 73 20 48 54 54 50 2F 31 2E 31 ared.js
------------------------------------------------------- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- what does this mean? lisa foreman (Aug 21)
- Re: what does this mean? Larc (Aug 21)
- Re: what does this mean? Matt Kettler (Aug 21)
- <Possible follow-ups>
- RE: what does this mean? McCammon, Keith (Aug 21)