Re: IDS296/web-misc_http-whisker-splicing-attack-space

["Andrew R. Baker" <andrewb0x29a () yahoo com>]

Based on data from one of my sensors, this alert will be triggered by the
Code Red worm.  A subsequent packet will contain the actual overflow.

-A

--- tnelson () starpoint com wrote:
> I'm new to snort, but I have v. 1.8.1-beta5 up and running.  I am seeing
> many reports of the whisker-splicing attack, targeted at most of my web
> servers.  I've read the documenation on it at whitehats.com, but I'm not
> sure how to go about determining if these are actual attacks or false
> alarms as they seem to be coming from many different IPs.
>
> Any help would be greatly appreciated.
>
> Tony Nelson
>
> ps.  My appologies if this is off-topic for this list.
>
> Tony Nelson
> Director of Network Operations
> Starpoint Solutions
> 115 Broadway, 20th Fl.
> New York, NY 10006
> Phone: 212-238-0851
> Email: tony.nelson () starpoint com
> http://www.starpoint.com
>
> *** This email was scanned by eSafe Content Inspection Server. ***
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


__________________________________________________
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users