Snort mailing list archives
RE: ATTACK RESPONSES 403 Forbidden
From: "Gould, Scott" <sgould () gogstats org>
Date: Tue, 23 Mar 2004 11:26:56 -0500
? Acutally, the source IP was the Exchange Server replying to the DC with a 403. which would imply that the hhtp request originated from the DC. Noe web based admin tools installed. Still got me stumped ________________________________ From: Koski, Brian [mailto:bkoski () ci citrus-heights ca us] Sent: Tue 3/23/2004 10:53 AM To: Gould, Scott Cc: snort-users () lists sourceforge net Subject: RE: [Snort-users] ATTACK RESPONSES 403 Forbidden So the source IP was the DC? Did you check the IIS logs? Anyone maybe ran a web-based admin tool? -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Gould, Scott Sent: Monday, March 22, 2004 8:54 PM Cc: snort-users () lists sourceforge net Subject: [Snort-users] ATTACK RESPONSES 403 Forbidden ? Hi, new to snort but loving it so far. All going well, but a little stumped on something. Seeing ATTACK RESPONSES 403 Forbidden HTTP/1.1 403 Access Forbidden Server: Microsoft-IIS/5.0 Date: Tue, 23 Mar 2004 04:24:14 GMT Content-Length: 3779 Content-Type: text/html <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <html dir=ltr> <head> <style> a:link...{font:8pt/11pt verdana; color:FF0000} a:visited..{font in a response from a Microsoft Exchange 2000 server to a Windows 2000 Server Domain Controller. The Domain Controller is also a Global Catalog. made sure no admins were accessing webmail from the Domain Controller, the machine did not even have a browser running when these responses cam back. Wasn't aware of communication between a Domain controller and Exchange 200 server that takes place over http Anyone with a windows shop see these and have any ideas? ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=ick _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=ort-users ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- ATTACK RESPONSES 403 Forbidden Gould, Scott (Mar 22)
- <Possible follow-ups>
- RE: ATTACK RESPONSES 403 Forbidden Gould, Scott (Mar 23)