Re: WEB-CLIENT Excel malformed FBI record - False positive?

[Jack Pepper <pepperjack () afferentsecurity com>]

Quoting Jesper Skou Jensen <jesper.skou.jensen () uni-c dk>:


> "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any"
>
> which I read as the $HOME_NET is the destination, BUT when I read the
> Snort syslog message below, it looks like the "attack" originates from
> my webserver. Is that a correct assumption?

not quite.  look at the connection that would match this rule:

outside_server:port80 and insideserver:otherport

the way this conversation sets up is when a browser (on the inside)  
browses to port 80 (or other HTTP_PORT) on some outside source.

So if you browse to http://www.google.com , the external host will be  
on port 80, the inside host will be on some high numbered port.

ok?  So this rule reacts to inside users browsing out.

which means this is not really an "outside-in attack", but is really a  
user downloading something that may contain a poison payload.


jp

-- 

Framework?  I don't need no stinking framework!

----------------------------------------------------------------
@fferent Security Labs:  Isolate/Insulate/Innovate  
http://www.afferentsecurity.com


-------------------------------------------------------------------------
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users