Re: X11 Outgoing

[Dr Aldo Medina <aldomedina () hotpop com>]

El vie, 31-10-2003 a las 20:24, Brad Arlt escribió:
> On Thu, Oct 30, 2003 at 02:43:45PM +0400, Dr Aldo Medina wrote:
> > I frequently get this messages in my log, after installing
> > snort. After looking hundreds of results in Google, I still can find
> > out if this is a real treat. Any ideas? TIA.
>
> It is in Snort so you can know if there are X11 connections whizzing
> through your boundry between network segments.
>
> X11 is the windowing system used by Linux, Solaris, Open/Free/Net BSD,
> and many other Unix and Unix-like variants.  There are ports to
> Windows and I think MacOS (if MacOS X isn't already running X11
> natively).
>
> X11 allows running programs on remote machines and sending the display
> to the local machine.  If you are familiar with Microsoft Remote
> Desktop, or VNC, the spirit is similar though things are accomplished
> very much differently.
>
> An X11 connection is the start of a display being sent to a remote
> machine, or a remote machine sending its display (or other more evil
> things) to a local machine.
>
> If there are supposed to be X11 connections, then this isn't a big
> deal, tune Snort to not listen for X11 connections.  
>
> A better approach is to limit this alert to the IPs that should *not*
> have X11 connections going to them (or from them) - your enterprise,
> Windows machines(maybe), everything in your DMZ (likely), your 9600
> baud modem pool, etc.  Then when you see this alert you can freak out
> with the propper amount of panic.
>
> This way you can think "Hmm, an X11 connection from my....  credit
> card database to... Korea. Ah &*$!" instead of "Hmmm all X11
> connections thus far have been false positives, this one is no
> different."

Thanks for answering. I once used X11 forwarding, even thru ssh. I don't
use it anymore, however. My question is more related to the treat of
this messages, since almost all are similar to this one:

Oct 31 06:42:25 {mylocalhost} snort: [1:1227:1] X11 outgoing
[Classification: Unknown Traffic] [Priority: 3]: {TCP}
212.185.244.42:6003 -> {mylocalip}:59465

What do you think?. Thanks again.

-- 
GPG Public key: Primary site: pgp.mit.edu 0xDED784BF
Alternative: http://aldomedina.dyndns.org/key.gpg



---------------------------------------------------------------------------
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web Services security to 
simplify the management and deployment of PGP and reduce overall PGP costs 
by up to 80%.
FREE WHITEPAPER & 30 Day Trial - 
http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 
----------------------------------------------------------------------------