[Snort-sigs] Signature Definition #1227 , 16 of 20
Esler, Joel Contractor
EslerJ at ...785...
Mon Jun 9 10:39:06 EDT 2003
Rule: -- X11 outbound client connection detected
Sid: -- 1227
Summary: -- This string detects Connections outbound from ports 6000-6005
Impact: -- None
Detailed Information: -- This can show that a host has outbound traffic
originating from ports 6000-6005. Commonly the X11 client runs on these
ports, and remote displays of a root terminal window can be sent to remote
Affected Systems: -- Unix/Linux -- Any OS that runs X as their desktop.
Attack Scenarios: -- Slim to Extreme
Ease of Attack: -- Moderate
False Positives: -- Outbound traffic from web requests or similiar outbound
traffic that happens to go outbound between ports 6000 - 6005.
False Negatives: -- Unknown
Corrective Action: -- Disallow users to be able to send X windows
connections to outbound clients at the routers.
Contributors: -- Joel Esler
Additional References: arachnids,126
More information about the Snort-sigs