Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: WEB-ATTACKS id command attempt

From: Phil Wood <cpw () lanl gov>
Date: Mon, 15 Apr 2002 16:48:07 -0600

On Mon, Apr 15, 2002 at 03:39:01PM -0400, Gray . Brendan wrote:

I have a similiar strange issue with that sig.  My server is showing up as a
source of the alerts, but when I check the payload, it shows my server being
the target of a nimda attack, from which my server responds with a "403"
access forbidden" (my servers restrict who can view them by IP address).  



Look at the specific rule that is generating the alert.  See where your
server fits in to the picture.  Some rules trigger on a access forbidden in
the packet.  You might not want this behavior.  I know I don't.  That
information is available in the web server logs.  I'm interested in more
concrete indications of a problem.  Like, a successful connect from the
void to a server, and within the transactions, the appearance/reality of
a real live hack's success!

Of course, you might want real time alerts based on access forbidden.  


It alarms me to see my server as the source of an attack, but it seems it
isn't really the source.  I'm running Snort 1.8.3-5 (red hat rpm). I wonder
why my server is showing up as a source, when all its doing is replying with
a 403.

Brendan



-----Original Message-----
From: Erek Adams [mailto:erek () theadamsfamily net]
Sent: Monday, April 15, 2002 3:11 PM
To: John-Magne Bredal
Cc: snort
Subject: Re: [Snort-users] WEB-ATTACKS id command attempt


On Mon, 15 Apr 2002, John-Magne Bredal wrote:


I get an awful lot of these alarms on the network I am monitoring. Does
anyone know what this alert actually tells me (there are no reference in
ACID which I am using), and perhaps a reason why there are so many alerts?
They come from a relatively little amount of boxes, but those boxes are
spamming madly though.

Anyone that can inform me :)


Take a look at the actual packet payload and see what's going on.  From the
way the rule looks:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-ATTACKS id command
attempt"; flags:A+; content:"\;id";nocase; sid:1333; rev:1;
classtype:web-application-attack;)

It _could_ be a false positive.  But--You can't be sure without digging into
the packet and checking it out.

Good luck!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-- 
Phil Wood, cpw () lanl gov


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: