RE: please help ID payload info

[matthew.keay () Phones4u co uk]

It could also be any url (inbound or outbound afaik) that contains "passwd".
(iirc, it might be a bit more specific). 
I often get false positives for this with groupware/weblog type traffic.

-----Original Message-----
From: Matt Kettler [mailto:mkettler () evi-inc com] 
Sent: 15 October 2002 17:50
To: Randy Bey; snort-users () lists sourceforge net
Subject: Re: [Snort-users] please help ID payload info

Well, first did you check to see if this is actually coming from your 
webserver, or an external one? You left any details about that out, so I 
figure it's worth asking just to be sure. If it's an external webserver, I 
bet it's a webpage containing sample output from a security check tool.


also you claim that's similar to content sent out via email... do you have 
some sort of webmail access going where you might be accessing those emails 
from your webserver, causing it to legitimately send that content?

If that's actually coming from your webserver, and you don't have webmail, 
I'd check for security updates on ALL the webserver tools I was running 
running if I were you :)

At 09:46 AM 10/15/2002 -0600, Randy Bey wrote:
> I am getting a WEB-MISC /etc/passwd hit occasionally, and it has me
> worried. How the heck are they getting what looks like the contents of
> the /etc directory?


*************************************************************
This email, and any attachment, is confidential. If you have 
received it in error, please delete it from your system. 

Do not use or disclose the information in any way, and notify 
the sender immediately. 

The contents of this message may contain personal views which 
are not the views of Phones4U Ltd or any other company within 
the Caudwell Group, unless specifically stated. 

You may not disclose any information contained herein unless 
disclosure is specifically allowed or the information is 
publicly available.
*************************************************************