[Snort-sigs] Documentation for Rule 488 INFO Connection Closed MSG from Port 80

Brian bmc at ...95...
Sun Dec 14 18:17:02 EST 2003


On Mon, Dec 15, 2003 at 08:17:28AM +1300, Russell Fulton wrote:
> On Sun, 2003-12-14 at 17:01, Brian wrote:
> 
> > Sorry, but this is wrong.  I don't have time to explain it now, but
> > trust me.  Normal web servers (even when you use telnet to connect to
> > them) NEVER end the connection with "Connection closed by foreign host".
> 
> Hmm... I agree and this raises the question: isn't the rule
> fundamentally broken since that text will never traverse the network?

No.  My comment was in response to his docs, where he stated that using
telnet to connect to a web server will cause the string to appear.

There are many cases where seeing this string would be bad.  The common
case where I have seen this rule fire is where a web server has been
compromised and a shell has been bound to port 80 and further exploits
are being run through it.

-b




More information about the Snort-sigs mailing list