[Snort-sigs] RE: Signature Definition #1227 , 17 of 20

Esler, Joel Contractor EslerJ at ...785...
Mon Jun 9 10:40:05 EDT 2003


 Rule: -- X11 outbound client connection detected 
 Sid: -- 1227 
 Summary: -- This string detects Connections outbound from ports 6000-6005
 Impact: -- None
 Detailed Information: -- This can show that a host has outbound traffic
originating from ports 6000-6005.  Commonly the X11 client runs on these
ports, and remote displays of a root terminal window can be sent to remote
computers.
 Affected Systems: -- Unix/Linux -- Any OS that runs X as their desktop.
 Attack Scenarios: -- Slim to Extreme
 Ease of Attack: -- Moderate
 False Positives: -- Outbound traffic from web requests or similiar outbound
traffic that happens to go outbound between ports 6000 - 6005.  
 False Negatives: -- Unknown
 Corrective Action: -- Disallow users to be able to send X windows
connections to outbound clients at the routers.
 Contributors: -- Joel Esler
 Additional References: arachnids,126

 




More information about the Snort-sigs mailing list