Snort mailing list archives
Re: wrong flow side on very old sid 1045 (always present on SEU 493)
From: Joe Gedeon <joe.gedeon () gmail com>
Date: Sun, 4 Sep 2011 18:03:39 -0400
Rmkml, The sensor is looking for the 403 page from your Servers. Look at your web logs and look for what the client was trying to get to to cause the 403. On Sun, Sep 4, 2011 at 17:05, rmkml <rmkml () yahoo fr> wrote:
Hi, Maybe Im find a wrong flow side on very old sid 1045: web-iis.rules:# alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"WEB-IIS Unauthorized IP Access Attempt"; flow:to_server,established; content:"403"; content:"Forbidden|3A|"; classtype:web-application-attack; sid:1045; rev:11;) but this sig is always exist on last SEU 493. Sample: HTTP/1.1 403 Forbidden Content-Length: 1409 Content-Type: text/html Server: Microsoft-IIS/6.0 ... <h2>HTTP Error 403.4 - Forbidden: SSL is required to view this resource.<br>Internet Information Services (IIS)</h2> ... Regards Rmkml http://twitter.com/rmkml ------------------------------------------------------------------------------ Special Offer -- Download ArcSight Logger for FREE! Finally, a world-class log management solution at an even better price-free! And you'll get a free "Love Thy Logs" t-shirt when you download Logger. Secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsisghtdev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
-- Registered Linux User # 379282 ------------------------------------------------------------------------------ Special Offer -- Download ArcSight Logger for FREE! Finally, a world-class log management solution at an even better price-free! And you'll get a free "Love Thy Logs" t-shirt when you download Logger. Secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsisghtdev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- wrong flow side on very old sid 1045 (always present on SEU 493) rmkml (Sep 05)
- Re: wrong flow side on very old sid 1045 (always present on SEU 493) Joe Gedeon (Sep 05)