[Snort-sigs] Need a little help over here...

Brian bmc at ...95...
Thu Mar 7 10:42:02 EST 2002


According to Robert Reid:
> I have noticed that this rule is acually reversed. The box that generates
> the error "403 forbidden" is shown as the source and the machine accessing
> the web server is shown as the destination.

You are correct.  This signature is looking for the 403 response from 
'your' web servers.  This is usually indicative of someone attempting 
to gain access to something that is administratively forbidden. 

You should review the web server's logs to find out what web page was 
the user attempted to view and verify that the web page the user
attempted to view was not sensitive and that the web server has not
been compromised.  Verify that the user did not attempt to access other 
pages on the web server that are sensitive.  Verify that the user's 
source IP address did not attempt to access other services.  

-- 
Normal is a cycle on a washing machine




More information about the Snort-sigs mailing list