Snort mailing list archives

Re: My Webservers Are Showing Up In My Alerts

From: "Vadim Pushkin" <wiskbroom () hotmail com>
Date: Fri, 14 Jun 2002 18:05:22 +0000

From: matt <mkettler () evi-inc com>
To: "Vadim Pushkin" <wiskbroom () hotmail com>,snort-users () lists sourceforge net
Subject: Re: [Snort-users] My Webservers Are Showing Up In My Alerts
Date: Thu, 13 Jun 2002 20:33:18 -0400
If I'm reading you right, you've fixed one problem, but still have aproblem where it looks like your squid server is attacking other people'snetworks.
Have you tried modifying EXTERNAL_NET to not be "any" but instead be"!$HOME_NET" or "!$HTTP_SERVERS". If you're only interested in inboundattacks I'd highly recommend it as it will speed snort up, and kill thiskind of false alert.



You mean use something like this?

alert tcp any !$HTTP_SERVERS -> $HTTP_SERVERS $HTTP_SERVERS_PORT(msg:"WEB-CGI calendar access"; flags:A+; uricontent:"/calendar"; nocase;classtype:attempted-recon; sid:882; rev:2;)


At 12:24 AM 6/14/2002 +0000, Vadim Pushkin wrote:

I already did that, in fact I have this instead:

alert tcp $EXTERNAL_NET any -> !$HTTP_SERVERS 8080 (msg:"SCAN Proxy$8080$ attempt"; flags:S; classtype:attempted-recon; sid:620; rev:2;)


The problem is that these are ALSO my proxy servers running
Squid. As such, they are the spring broard into "other" peoples
webservers. Because of this I get alot of WEB-cgi calendar,
WEB-IIS scripts, etc to these machines. Should I add a "!"
into ALL of my rules? I hope not :-)

Thanks again,

Vad



_________________________________________________________________

MSN Photos is the easiest way to share and print your photos:http://photos.msn.com/support/worldwide.aspx



_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

My Webservers Are Showing Up In My Alerts Vadim Pushkin (Jun 13)
- Re: My Webservers Are Showing Up In My Alerts Matt Kettler (Jun 13)
- <Possible follow-ups>
- Re: My Webservers Are Showing Up In My Alerts Vadim Pushkin (Jun 13)
  - Re: My Webservers Are Showing Up In My Alerts matt (Jun 13)
- Re: My Webservers Are Showing Up In My Alerts Vadim Pushkin (Jun 13)
  - Re: My Webservers Are Showing Up In My Alerts matt (Jun 13)
- Re: My Webservers Are Showing Up In My Alerts Muhammad Faisal Rauf Danka (Jun 13)
- Re: My Webservers Are Showing Up In My Alerts Vadim Pushkin (Jun 14)
- Re: My Webservers Are Showing Up In My Alerts Vadim Pushkin (Jun 14)