Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: ATTACK RESPONSES 403 Forbidden

From: "Gould, Scott" <sgould () gogstats org>
Date: Tue, 23 Mar 2004 11:26:56 -0500
?
 
Acutally, the source IP was the Exchange Server replying to the DC with a 403.  which would imply that the hhtp request 
originated from the DC.  Noe web based admin tools installed.  Still got me stumped

________________________________

From: Koski, Brian [mailto:bkoski () ci citrus-heights ca us]
Sent: Tue 3/23/2004 10:53 AM
To: Gould, Scott
Cc: snort-users () lists sourceforge net
Subject: RE: [Snort-users] ATTACK RESPONSES 403 Forbidden



So the source IP was the DC? Did you check the IIS logs? Anyone maybe
ran a web-based admin tool?

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Gould,
Scott
Sent: Monday, March 22, 2004 8:54 PM
Cc: snort-users () lists sourceforge net
Subject: [Snort-users] ATTACK RESPONSES 403 Forbidden

?
Hi,

new to snort but loving it so far.  All going well, but a little stumped
on something.

Seeing 

ATTACK RESPONSES 403 Forbidden

HTTP/1.1 403 Access Forbidden
Server: Microsoft-IIS/5.0
Date: Tue, 23 Mar 2004 04:24:14 GMT
Content-Length: 3779
Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html dir=ltr>
<head>
<style>
a:link...{font:8pt/11pt verdana; color:FF0000}
a:visited..{font


in a response from a Microsoft Exchange 2000 server to a Windows 2000
Server Domain Controller.  The Domain Controller is also a Global
Catalog.  made sure no admins were accessing webmail from the Domain
Controller, the machine did not even have a browser running when these
responses cam back.  Wasn't aware of communication between a Domain
controller and Exchange 200 server that takes place over http

Anyone with a windows shop see these and have any ideas?


-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=ick
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=ort-users




-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: