[Snort-sigs] Documentation for Rule 488 INFO Connection Closed MSG from Port 80
bmc at ...95...
Sun Dec 14 18:17:02 EST 2003
On Mon, Dec 15, 2003 at 08:17:28AM +1300, Russell Fulton wrote:
> On Sun, 2003-12-14 at 17:01, Brian wrote:
> > Sorry, but this is wrong. I don't have time to explain it now, but
> > trust me. Normal web servers (even when you use telnet to connect to
> > them) NEVER end the connection with "Connection closed by foreign host".
> Hmm... I agree and this raises the question: isn't the rule
> fundamentally broken since that text will never traverse the network?
No. My comment was in response to his docs, where he stated that using
telnet to connect to a web server will cause the string to appear.
There are many cases where seeing this string would be bad. The common
case where I have seen this rule fire is where a web server has been
compromised and a shell has been bound to port 80 and further exploits
are being run through it.
More information about the Snort-sigs