[Snort-sigs] Need a little help over here...
rreid at ...414...
Wed Mar 6 13:33:03 EST 2002
I have noticed that this rule is acually reversed. The box that generates
the error "403 forbidden" is shown as the source and the machine accessing
the web server is shown as the destination.
Here is the payload from one of my IIS's which triggered this alert:
"HTTP/1.1 403 Access Forbidden
Date: Wed, 06 Mar 2002 20:31:29 GMT
<html><head><title>Directory Listing Denied</title></head>
<body><h1>Directory Listing Denied</h1>This Virtual Directory does not allow
contents to be listed.</body></html>"
In this case the IIS was shown as source and the attacker as destination.
From: Mark Taber [mailto:mark at ...410...]
Sent: Wednesday, March 06, 2002 2:44 PM
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] Need a little help over here...
I am a little new to creating rules and I was wondering if I could get a
little help. I have an issue with a snort sensor sending out traffic to a
secured site and receiving a "web-misc 403 forbidden". I haven't been able
to figure out why that computer is going to the site, so I haven't been able
to stop the traffic. I was wondering if I could create a "pass" rule that
would allow me to get rid of those alerts. The original rule is:
alert tcp $HTTP_SERVERS 80 -> $EXTERNAL_NET any (msg:"WEB-MISC 403
Forbidden";flags: A+; content:"HTTP/1.1 403";
depth:12;classtype:attempted-recon; sid:1201; rev:2;)
(Rule that I am creating)
pass tcp $HTTP_SERVERS 80 -> x.x.x.x any(IP Of Secured Site?) (msg:"WEB-MISC
403 Forbidden";flags: A+; content:"HTTP/1.1 403"; depth:12;
classtype:attempted-recon; sid:1201; rev:2;)
I believe I would need to run snort with the -o switch configured, is that
Looking it over again, I think I am even more confused? Which side of the
"->" is my sensor, and which side is information coming from the website?
Please help, my head hurts...
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
More information about the Snort-sigs