RE: ATTACK RESPONSES 403 Forbidden

["Gray . Brendan" <bgray2 () drc com>]

I was about to suggest that too.  We have some websites at my company that
are restricted to specific domains and IP addresses.  On my snort logs I get
that alert a lot.  Everytime someone (or a nimda code red worm) comes to one
of our restricted websites, they get a 403 error, and snort catches it.

Brendan Gray



-----Original Message-----
From: Matt Yackley [mailto:Matt.Yackley () perkinswill com]
Sent: Tuesday, August 27, 2002 9:20 AM
To: 'Alwin Raymundo'; 'snort-users () lists sourceforge net'
Subject: RE: [Snort-users] ATTACK RESPONSES 403 Forbidden


Alwin, first few things that come to mind are:

Someone on the network went to a site that returned a 403 page.
What is your External_Net and Home_Net set to?
Can you post the alert in question or provide more detail....

Matt

-----Original Message-----
From: Alwin Raymundo [mailto:alrayworld () yahoo com]
Sent: Tuesday, August 27, 2002 7:01 AM
To: user snort
Subject: [Snort-users] ATTACK RESPONSES 403 Forbidden


Hi Guys,

I dont know if this already posted but again I need
your help about this Attack Response.

It showed on my database that I'm the one attacking
some server?, which is impossible.  I know this is
false positive alert.

Any idea and comment will be highly appreciated.

Thanks in advance brother in snort.

=====
Alwin Raymundo





-------------------------------------------------------
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users