Snort mailing list archives
RE: please help ID payload info
From: matthew.keay () Phones4u co uk
Date: Thu, 17 Oct 2002 09:31:08 +0100
Doh, just read the email previous to this... ignore me. -----Original Message----- From: Matthew Keay Sent: 17 October 2002 08:36 To: mkettler () evi-inc com; Randy.Bey () rivernorthsys com; snort-users () lists sourceforge net Subject: RE: [Snort-users] please help ID payload info It could also be any url (inbound or outbound afaik) that contains "passwd". (iirc, it might be a bit more specific). I often get false positives for this with groupware/weblog type traffic. -----Original Message----- From: Matt Kettler [mailto:mkettler () evi-inc com] Sent: 15 October 2002 17:50 To: Randy Bey; snort-users () lists sourceforge net Subject: Re: [Snort-users] please help ID payload info Well, first did you check to see if this is actually coming from your webserver, or an external one? You left any details about that out, so I figure it's worth asking just to be sure. If it's an external webserver, I bet it's a webpage containing sample output from a security check tool. also you claim that's similar to content sent out via email... do you have some sort of webmail access going where you might be accessing those emails from your webserver, causing it to legitimately send that content? If that's actually coming from your webserver, and you don't have webmail, I'd check for security updates on ALL the webserver tools I was running running if I were you :) ************************************************************* This email, and any attachment, is confidential. If you have received it in error, please delete it from your system. Do not use or disclose the information in any way, and notify the sender immediately. The contents of this message may contain personal views which are not the views of Phones4U Ltd or any other company within the Caudwell Group, unless specifically stated. You may not disclose any information contained herein unless disclosure is specifically allowed or the information is publicly available. *************************************************************
Current thread:
- please help ID payload info Randy Bey (Oct 15)
- Re: please help ID payload info Matt Kettler (Oct 15)
- Re: please help ID payload info Robby Desmond (Oct 17)
- Help with content-list usage - Unable to open list file: Sven_da_duder Sean Wheeler (Oct 17)
- AW: Help with content-list usage - Unable to open list file: Sven_da_duder Sean Wheeler (Oct 17)
- AW: Help with content-list usage - Unable to open list file: Sven_da_duder Sean Wheeler (Oct 17)
- Help with content-list usage - Unable to open list file: Sven_da_duder Sean Wheeler (Oct 17)
- <Possible follow-ups>
- RE: please help ID payload info Randy Bey (Oct 15)
- RE: please help ID payload info twig les (Oct 15)
- RE: please help ID payload info matthew . keay (Oct 17)
- RE: please help ID payload info matthew . keay (Oct 17)