Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Unusual http traffic

From: Chris Green <cmg () uab edu>
Date: Mon, 22 Oct 2001 16:00:53 -0500
Fraser Hugh <hugh_fraser () dofasco ca> writes:


1.  (*) text/plain          ( ) text/html           

I've turned off the Code Red and Nimda alert rules since we've
comfortable with our ability to deal with those on the servers
themselves. It's more the balance of the URL that looked unusual.


Is your webserver where you got those logs from?  It really looks like
your webserver is interpreting the extra characters that form the /../
part as TLS/SSL control commands.

What webserver is that?

If you turned off the rules, you're not going to see that. Cmd.exe
rules catch common attacks from several differnt types and not just
code red but they certainly aren't 100% reliable.
-- 
Chris Green <cmg () uab edu>
I've had a perfectly wonderful evening. But this wasn't it.
     -- Groucho Marx

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: