Security Basics mailing list archives
Re: X11 Outgoing
From: Dr Aldo Medina <aldomedina () hotpop com>
Date: Fri, 31 Oct 2003 14:59:32 +0400
El vie, 31-10-2003 a las 20:24, Brad Arlt escribió:
On Thu, Oct 30, 2003 at 02:43:45PM +0400, Dr Aldo Medina wrote:I frequently get this messages in my log, after installing snort. After looking hundreds of results in Google, I still can find out if this is a real treat. Any ideas? TIA.It is in Snort so you can know if there are X11 connections whizzing through your boundry between network segments. X11 is the windowing system used by Linux, Solaris, Open/Free/Net BSD, and many other Unix and Unix-like variants. There are ports to Windows and I think MacOS (if MacOS X isn't already running X11 natively). X11 allows running programs on remote machines and sending the display to the local machine. If you are familiar with Microsoft Remote Desktop, or VNC, the spirit is similar though things are accomplished very much differently. An X11 connection is the start of a display being sent to a remote machine, or a remote machine sending its display (or other more evil things) to a local machine. If there are supposed to be X11 connections, then this isn't a big deal, tune Snort to not listen for X11 connections. A better approach is to limit this alert to the IPs that should *not* have X11 connections going to them (or from them) - your enterprise, Windows machines(maybe), everything in your DMZ (likely), your 9600 baud modem pool, etc. Then when you see this alert you can freak out with the propper amount of panic. This way you can think "Hmm, an X11 connection from my.... credit card database to... Korea. Ah &*$!" instead of "Hmmm all X11 connections thus far have been false positives, this one is no different."
Thanks for answering. I once used X11 forwarding, even thru ssh. I don't use it anymore, however. My question is more related to the treat of this messages, since almost all are similar to this one: Oct 31 06:42:25 {mylocalhost} snort: [1:1227:1] X11 outgoing [Classification: Unknown Traffic] [Priority: 3]: {TCP} 212.185.244.42:6003 -> {mylocalip}:59465 What do you think?. Thanks again. -- GPG Public key: Primary site: pgp.mit.edu 0xDED784BF Alternative: http://aldomedina.dyndns.org/key.gpg --------------------------------------------------------------------------- Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE The Presidio integrates PGP data encryption and XML Web Services security to simplify the management and deployment of PGP and reduce overall PGP costs by up to 80%. FREE WHITEPAPER & 30 Day Trial - http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 ----------------------------------------------------------------------------
Current thread:
- Re: X11 Outgoing Brad Arlt (Nov 03)
- Re: X11 Outgoing Dr Aldo Medina (Nov 03)
- Re: X11 Outgoing Brad Arlt (Nov 03)
- RE: X11 Outgoing David Gillett (Nov 03)
- Re: X11 Outgoing Ansgar -59cobalt- Wiechers (Nov 04)
- Re: X11 Outgoing Brad Arlt (Nov 03)
- Re: X11 Outgoing Dr Aldo Medina (Nov 03)