[Snort-sigs] Signature Definition #1201, 16 of 20

Esler, Joel Contractor EslerJ at ...785...
Mon Jun 9 10:31:46 EDT 2003

 Rule: -- ATTACK-RESPONSES 403 Forbidden 
 Sid: -- 1201
 Summary: -- This string detects "HTTP/1.1 403" in traffic in flow from
webservers defined.  
 Impact: -- None
 Detailed Information: -- This can show that a host was denied by the access
list defined on a webserver.  A system administrator can use this
information to see if an IP did a scan for port 80 on a network.  While most
people deny all access to port 80 to their network and no denies to all
their webservers.  A Sysadmin that doesn't review their router logs may not
catch scans like this.
 Affected Systems: -- Any that have Webservers on them
 Attack Scenarios: -- Slim
 Ease of Attack: -- Easy
 False Positives: -- Unknown
 False Negatives: -- Unknown
 Corrective Action: -- Correct access lists to webpages.
 Contributors: -- Joel Esler
 Additional References: 


More information about the Snort-sigs mailing list