Snort mailing list archives
Re: WEB-ATTACKS id command attempt
From: Phil Wood <cpw () lanl gov>
Date: Mon, 15 Apr 2002 16:48:07 -0600
On Mon, Apr 15, 2002 at 03:39:01PM -0400, Gray . Brendan wrote:
I have a similiar strange issue with that sig. My server is showing up as a source of the alerts, but when I check the payload, it shows my server being the target of a nimda attack, from which my server responds with a "403" access forbidden" (my servers restrict who can view them by IP address).
Look at the specific rule that is generating the alert. See where your server fits in to the picture. Some rules trigger on a access forbidden in the packet. You might not want this behavior. I know I don't. That information is available in the web server logs. I'm interested in more concrete indications of a problem. Like, a successful connect from the void to a server, and within the transactions, the appearance/reality of a real live hack's success! Of course, you might want real time alerts based on access forbidden.
It alarms me to see my server as the source of an attack, but it seems it isn't really the source. I'm running Snort 1.8.3-5 (red hat rpm). I wonder why my server is showing up as a source, when all its doing is replying with a 403. Brendan -----Original Message----- From: Erek Adams [mailto:erek () theadamsfamily net] Sent: Monday, April 15, 2002 3:11 PM To: John-Magne Bredal Cc: snort Subject: Re: [Snort-users] WEB-ATTACKS id command attempt On Mon, 15 Apr 2002, John-Magne Bredal wrote:I get an awful lot of these alarms on the network I am monitoring. Does anyone know what this alert actually tells me (there are no reference in ACID which I am using), and perhaps a reason why there are so many alerts? They come from a relatively little amount of boxes, but those boxes are spamming madly though. Anyone that can inform me :)Take a look at the actual packet payload and see what's going on. From the way the rule looks: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-ATTACKS id command attempt"; flags:A+; content:"\;id";nocase; sid:1333; rev:1; classtype:web-application-attack;) It _could_ be a false positive. But--You can't be sure without digging into the packet and checking it out. Good luck! ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Phil Wood, cpw () lanl gov _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- WEB-ATTACKS id command attempt John-Magne Bredal (Apr 15)
- Re: WEB-ATTACKS id command attempt Erek Adams (Apr 15)
- <Possible follow-ups>
- RE: WEB-ATTACKS id command attempt Gray . Brendan (Apr 15)
- Re: WEB-ATTACKS id command attempt Phil Wood (Apr 15)
- Re: WEB-ATTACKS id command attempt Piotr Bulczak (Apr 15)