[Snort-sigs] SID 1227
alexander.s at ...1565...
Mon Jun 9 15:06:07 EDT 2003
X11 outbound client connection detected
Indicates that someone on the local network has established an xterm
session to an X server on another network.
The remote system may be compromised.
This signature looks for local connections to ports 6000-6005 on any
machine from an external network.
A user on the local network may have compromised a remote machine.
Ease of Attack:
An external machine may have connected to a local machine with an
ephemeral port number between 6000 and 6005.
xterm sessions with remote machine should be tunneled through ssh to
thwart sniffers and session hijacking.
Documentation - Steven Alexander<alexander.s at ...1565...>
More information about the Snort-sigs