Re: please help ID payload info

[Robby Desmond <rdesmond () els ucsb edu>]

At 09:46 AM 10/15/02 -0600, Randy Bey wrote:
> I am getting a WEB-MISC /etc/passwd hit occasionally, and it has me
> worried. How the heck are they getting what looks like the contents of
> the /etc directory?

To me, it looks like Snort is sniffing traffic related to system 
administration tasks. My box doesn't fire when FreeBSD emails me the 
nightly alerts, but if your scripts run over the web, then they could 
trigger it.

> I don't understand how it gets there, I have authentication set up on
> the server, so a plain old HEAD shouldn't work, but the payload looks
> like the output of an email that is routinely sent out with the 'ASET'
> job that I run daily. ASET is a Solaris thingie that does some HIDS
> stuff.

Again, I haven't had my Tripwire reports trigger alerts, but it might be 
because of how they are sent.

> I looked in access_log on the web server and all I see is 401's
> (authentication required) for all HEAD type requests. So why is this
> data here?
<SNIP!>

Well, my thinking is that your ASET tool is doing reporting over a channel 
that Snort monitors. And since the content matches the /etc/passwd rule, it 
triggers an alert.

I would check to see if the time of the alert corresponds to the time when 
ASET runs.

Does ASET generate web-based reports by any chance?

-Robby

Robert Desmond
Systems Administrator
UCSB Extended Learning Services
805-893-4906



-------------------------------------------------------
This sf.net email is sponsored by: viaVerio will pay you up to
$1,000 for every account that you consolidate with us.
http://ad.doubleclick.net/clk;4749864;7604308;v?
http://www.viaverio.com/consolidator/osdn.cfm
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users