[Snort-sigs] Documentation for Rule 488 INFO Connection Close d MSG from Port 80

Nathan Bain nebain at ...1671...
Sat Dec 20 06:38:00 EST 2003


The telnet program is generating this message - not the webserver.  If you
telnet to any other service that would close the connection (OpenSSH, for
one) and hit enter a few times, the server closes the connection, and
telnet informs you of this by saying "Connection closed by foreign host."

That message would never traverse the network on port 80, unless of course
it is contained in a web page's content.  If you use other tools, such as
nc, to grab banners, you will not see the message because nc does not
explicitly inform you that the connection was closed.

Nathan Bain

On Sat, 20 Dec 2003, Adams, Samuel (contractor) wrote:

> Curious about your comment, I connected to several "normal" (I have no idea
> what normal means in this or really any context) web servers on port 80. 
> I attempted to grab a banner with the following command:
> get http/1.1
> 
> While some returned an informative banner and some did not - without
> exception the connections ended with "Connection closed by foreign host." Am
> I missing something here? Were you thinking of some other way to telnet to a
> web server and grab a banner? Or am I connecting to abnormal web servers? 
> 
> -----Original Message-----
> From: Brian [mailto:bmc at ...95...]
> Sent: Monday, December 15, 2003 2:17 AM
> To: Russell Fulton
> Cc: snort-sigs at lists.sourceforge.net
> Subject: Re: [Snort-sigs] Documentation for Rule 488 INFO Connection
> Closed MSG from Port 80
> 
> 
> On Mon, Dec 15, 2003 at 08:17:28AM +1300, Russell Fulton wrote:
> > On Sun, 2003-12-14 at 17:01, Brian wrote:
> > 
> > > Sorry, but this is wrong.  I don't have time to explain it now, but
> > > trust me.  Normal web servers (even when you use telnet to connect to
> > > them) NEVER end the connection with "Connection closed by foreign host".
> > 
> > Hmm... I agree and this raises the question: isn't the rule
> > fundamentally broken since that text will never traverse the network?
> 
> No.  My comment was in response to his docs, where he stated that using
> telnet to connect to a web server will cause the string to appear.
> 
> There are many cases where seeing this string would be bad.  The common
> case where I have seen this rule fire is where a web server has been
> compromised and a shell has been bound to port 80 and further exploits
> are being run through it.
> 
> -b
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: IBM Linux Tutorials.
> Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
> Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
> Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: IBM Linux Tutorials.
> Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
> Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
> Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 





More information about the Snort-sigs mailing list