[Snort-users] Alert Question

Neil Dickey neil at ...1633...
Fri Apr 20 12:40:08 EDT 2001


Edwin Covert <ecovert at ...1864...> wrote asking:

>I recently saw this  following entry in my alert IDS:
>
>[**] WEB-IIS - Unauthorized Login Attempt [**]
>04/20-09:21:54.623322 207.197.132.205:80 -> yyy.yyy.yyy.yyy:1297
>TCP TTL:128 TOS:0x0 ID:39139  DF
>*****PA* Seq: 0x19D1554   Ack: 0x58C10   Win: 0x20CD
>
>The 207 address is our webserver.   The YYY address is my internal IP
>on the LAN via NAT.  So, what am I seeing?  Any help would be
>appreciated.

Someone on your network went to a website that refused them
the page they asked for.  I've seen these messages a bit, and
all of them so far have been innocent.  I went to the sites
myself to see what was up.

The logs for your web server should show what was being
requested and the reasons for refusing it.  Sometimes it just
means that the permissions on the requested file have been
incorrectly set.

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Davis Hall 312
Northern Illinois University
DeKalb, Illinois
60115




More information about the Snort-users mailing list