[Snort-sigs] SID 1227

Steven Alexander alexander.s at ...1565...
Mon Jun 9 15:06:07 EDT 2003


Rule:  
X11 outbound client connection detected 
--
Sid:

1227

--
Summary:
Indicates that someone on the local network has established an xterm
session to an X server on another network.

--
Impact:

The remote system may be compromised.

--
Detailed Information:

This signature looks for local connections to ports 6000-6005 on any
machine from an external network.

--
Affected Systems:

Unix
--
Attack Scenarios:

A user on the local network may have compromised a remote machine.  

--
Ease of Attack:
Moderate

--
False Positives:

An external machine may have connected to a local machine with an
ephemeral port number between 6000 and 6005.

--
False Negatives:

None known.
--
Corrective Action:

xterm sessions with remote machine should be tunneled through ssh to
thwart sniffers and session hijacking.   

--
Contributors:
Documentation - Steven Alexander<alexander.s at ...1565...>
-- 
Additional References:
http://www.whitehats.com/info/IDS126




More information about the Snort-sigs mailing list