[Snort-users] Compaq Insight alert

per.thorsheim at ...268... per.thorsheim at ...268...
Mon Aug 7 08:46:51 EDT 2000

Hello Ralf,

I submitted the rule to whitehats some time ago.

Where is the website located, and where is the workstation?

The rule should look for attempts to exploit an 'old' vulnerability in the
Compaq Insight Manager living on port 2301. If you don't have
any Compaq boxes internally running CIM, you can take it away
(since you haven't got the service anyway), or at least 'downgrade' the
severity of the alert.

A content like "../" (without quotes) in a http request to port 2301 should
be considered a hostile attempt in most cases, searching for vulnerable
CIM boxes.

Per Thorsheim

Ralf Günthner <tgue at ...106...> on 08/03/2000 11:21:08 AM
Hi list

I get this alert quite often:

[**] IDS244 - CVE-1999-0771 - Compaq-insight-dot-dot [**]
08/03-10:56:52.660000 0:C0:95:E0:FC:82 -> 0:50:2A:B5:AC:0 type:0x800 len:0x236 -> x.x.2.207:2301 TCP TTL:64 TOS:0x0 ID:11435
******A* Seq: 0x4AB74601   Ack: 0xD993B6   Win: 0x4000

It's just innocent Web-traffic between a website and one of our workstations, as
far as I can tell. I'm thinking of commenting out this alert, because it gets
triggered so often...Any other ideas?

Ralf G.

The information transmitted is intended only for the person or entity to which
it is addressed and may contain confidential and/or privileged material.  Any
review, retransmission, dissemination or other use of, or taking of any action
in reliance upon, this information by persons or entities other than the
intended recipient is prohibited.   If you received this in error, please
contact the sender and delete the material from any computer.

More information about the Snort-users mailing list