Snort mailing list archives
Re: WEB-CLIENT Excel malformed FBI record - False positive?
From: Jesper Skou Jensen <jesper.skou.jensen () uni-c dk>
Date: Tue, 08 Jul 2008 10:37:08 +0200
GREAT... I screwed up my maildrop filters and never received any of your answers, but I found them in the archive... List Subscriptions wrote:
Is $EXTERNAL_NET set to 'any'?
No, it's set to !$HOME_NET Jack Pepper wrote:
"alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any" which I read as the $HOME_NET is the destination, BUT when I read the Snort syslog message below, it looks like the "attack" originates from my webserver. Is that a correct assumption?not quite. look at the connection that would match this rule: outside_server:port80 and insideserver:otherport the way this conversation sets up is when a browser (on the inside) browses to port 80 (or other HTTP_PORT) on some outside source. So if you browse to http://www.google.com , the external host will be on port 80, the inside host will be on some high numbered port. ok? So this rule reacts to inside users browsing out.
I think I get it, but just to clarify. 1. The user client is on the outside of our network and is accessing one of our servers on the inside. 2. This rule must be triggered because of a already established connection, like this. Initial connnection outside_client:highport -> inside_server:80 Response when user downloads inside_server:80 -> outside_client:highport Correct?
which means this is not really an "outside-in attack", but is really a user downloading something that may contain a poison payload.
That is exactly what is happening. A outside user is downloading a word document from one of the servers. Thanks for clearing that up for me. -- Jesper S. Jensen Basisnet og Sikkerhed Uni-C - Ã…rhus, Danmark +45 8937-6666 ------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- WEB-CLIENT Excel malformed FBI record - False positive? Jesper Skou Jensen (Jul 07)
- Re: WEB-CLIENT Excel malformed FBI record - False positive? Jack Pepper (Jul 07)
- Re: WEB-CLIENT Excel malformed FBI record - False positive? List Subscriptions (Jul 07)
- Re: WEB-CLIENT Excel malformed FBI record - False positive? Jesper Skou Jensen (Jul 08)
- Re: WEB-CLIENT Excel malformed FBI record - False positive? Jack Pepper (Jul 08)
- Re: WEB-CLIENT Excel malformed FBI record - False positive? Jesper Skou Jensen (Jul 08)
- Re: WEB-CLIENT Excel malformed FBI record - False positive? Jesper Skou Jensen (Jul 08)
- Re: WEB-CLIENT Excel malformed FBI record - False positive? Jack Pepper (Jul 08)
- Re: WEB-CLIENT Excel malformed FBI record - False positive? Jesper Skou Jensen (Jul 08)
- Re: WEB-CLIENT Excel malformed FBI record - False positive? Joel Esler (Jul 08)
- Re: WEB-CLIENT Excel malformed FBI record - False positive? Jack Pepper (Jul 08)
- Re: WEB-CLIENT Excel malformed FBI record - False positive? Jesper Skou Jensen (Jul 09)
- Re: WEB-CLIENT Excel malformed FBI record - False positive? Joel Esler (Jul 09)
- Re: WEB-CLIENT Excel malformed FBI record - False positive? Jack Pepper (Jul 08)