Snort mailing list archives
RE: Would you suspect?
From: "Ronneil Camara" <ronneilc () remingtonltd com>
Date: Thu, 11 Apr 2002 12:28:01 -0500
Hi Paul,
Very nice explanation. I will look into tcpdump and web server logs then.
Thanks.
-----Original Message-----
From: Sheahan, Paul (PCLN-NW) [mailto:Paul.Sheahan () priceline com]
Sent: Thu 4/11/2002 11:27 AM
To: Ronneil Camara; snort-users () lists sourceforge net
Cc:
Subject: RE: [Snort-users] Would you suspect?
Not necessarily. This could be someone trying to list a virtual directory,
but in many cases it could be someone using a script or scanning utility
crawling your site. This generates a lot of 403's. If it's occuring many
times from one source, this might indicate a scanner/crawler being used by
that source. If it's occuring from MANY sources and only a few times for
each source, it may indicate you have a problem on your site....such as a
bad link sending people to a page where they don't have permission to view.
Paul Sheahan
Manager of Information Security
Priceline.com
paul.sheahan () priceline com
-----Original Message-----
From: Ronneil Camara [mailto:ronneilc () remingtonltd com]
Sent: Thursday, April 11, 2002 3:20 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Would you suspect?
Hi guys,
I am receiving a lot of alerts from my snort, WEB-MISC 403 Forbidden.
The source is actually our web server going to a public ip address.
Would you suspect that the destination ip is trying to hopefully, make
a dir listing of our virtual directory? What's your analysis?
Thanks. -neil
000 : 48 54 54 50 2F 31 2E 31 20 34 30 33 20 41 63 63 HTTP/1.1 403 Acc
010 : 65 73 73 20 46 6F 72 62 69 64 64 65 6E 0D 0A 53 ess Forbidden..S
020 : 65 72 76 65 72 3A 20 4D 69 63 72 6F 73 6F 66 74 erver: Microsoft
030 : 2D 49 49 53 2F 35 2E 30 0D 0A 44 61 74 65 3A 20 -IIS/5.0..Date:
040 : 54 68 75 2C 20 31 31 20 41 70 72 20 32 30 30 32 Thu, 11 Apr 2002
050 : 20 30 37 3A 31 34 3A 32 36 20 47 4D 54 0D 0A 43 07:14:26 GMT..C
060 : 6F 6E 6E 65 63 74 69 6F 6E 3A 20 63 6C 6F 73 65 onnection: close
070 : 0D 0A 43 6F 6E 74 65 6E 74 2D 54 79 70 65 3A 20 ..Content-Type:
080 : 74 65 78 74 2F 68 74 6D 6C 0D 0A 43 6F 6E 74 65 text/html..Conte
090 : 6E 74 2D 4C 65 6E 67 74 68 3A 20 31 37 32 0D 0A nt-Length: 172..
0a0 : 0D 0A 3C 68 74 6D 6C 3E 3C 68 65 61 64 3E 3C 74 ..<html><head><t
0b0 : 69 74 6C 65 3E 44 69 72 65 63 74 6F 72 79 20 4C itle>Directory L
0c0 : 69 73 74 69 6E 67 20 44 65 6E 69 65 64 3C 2F 74 isting Denied</t
0d0 : 69 74 6C 65 3E 3C 2F 68 65 61 64 3E 0A 3C 62 6F itle></head>.<bo
0e0 : 64 79 3E 3C 68 31 3E 44 69 72 65 63 74 6F 72 79 dy><h1>Directory
0f0 : 20 4C 69 73 74 69 6E 67 20 44 65 6E 69 65 64 3C Listing Denied<
100 : 2F 68 31 3E 54 68 69 73 20 56 69 72 74 75 61 6C /h1>This Virtual
110 : 20 44 69 72 65 63 74 6F 72 79 20 64 6F 65 73 20 Directory does
120 : 6E 6F 74 20 61 6C 6C 6F 77 20 63 6F 6E 74 65 6E not allow conten
130 : 74 73 20 74 6F 20 62 65 20 6C 69 73 74 65 64 2E ts to be listed.
140 : 3C 2F 62 6F 64 79 3E 3C 2F 68 74 6D 6C 3E </body></html>
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Jz+��
�ɚ�X��X��)��۬z�%��l���q����zѨ��a��.�
���z�
��m��좻����r��zm����+-��.�ǟ��
���+-��b�ا~�잊��ǫ�)��۬z�%��Z��b��m����
z�+k ^��&����� �w�+-
Current thread:
- Would you suspect? Ronneil Camara (Apr 11)
- Re: Would you suspect? Chris Green (Apr 11)
- <Possible follow-ups>
- RE: Would you suspect? Ronneil Camara (Apr 11)
- RE: Would you suspect? Sheahan, Paul (PCLN-NW) (Apr 11)
- RE: Would you suspect? Ronneil Camara (Apr 11)