[Snort-sigs] Documentation for Rule 488 INFO Connection Close d MSG from Port 80

Adams, Samuel (contractor) AdamsS at ...2026...
Sat Dec 20 03:50:01 EST 2003


Curious about your comment, I connected to several "normal" (I have no idea
what normal means in this or really any context) web servers on port 80. 
I attempted to grab a banner with the following command:
get http/1.1

While some returned an informative banner and some did not - without
exception the connections ended with "Connection closed by foreign host." Am
I missing something here? Were you thinking of some other way to telnet to a
web server and grab a banner? Or am I connecting to abnormal web servers? 

-----Original Message-----
From: Brian [mailto:bmc at ...95...]
Sent: Monday, December 15, 2003 2:17 AM
To: Russell Fulton
Cc: snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] Documentation for Rule 488 INFO Connection
Closed MSG from Port 80


On Mon, Dec 15, 2003 at 08:17:28AM +1300, Russell Fulton wrote:
> On Sun, 2003-12-14 at 17:01, Brian wrote:
> 
> > Sorry, but this is wrong.  I don't have time to explain it now, but
> > trust me.  Normal web servers (even when you use telnet to connect to
> > them) NEVER end the connection with "Connection closed by foreign host".
> 
> Hmm... I agree and this raises the question: isn't the rule
> fundamentally broken since that text will never traverse the network?

No.  My comment was in response to his docs, where he stated that using
telnet to connect to a web server will cause the string to appear.

There are many cases where seeing this string would be bad.  The common
case where I have seen this rule fire is where a web server has been
compromised and a shell has been bound to port 80 and further exploits
are being run through it.

-b


-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs




More information about the Snort-sigs mailing list