[Snort-users] Alert Question
neil at ...1633...
Fri Apr 20 12:40:08 EDT 2001
Edwin Covert <ecovert at ...1864...> wrote asking:
>I recently saw this following entry in my alert IDS:
>[**] WEB-IIS - Unauthorized Login Attempt [**]
>04/20-09:21:54.623322 22.214.171.124:80 -> yyy.yyy.yyy.yyy:1297
>TCP TTL:128 TOS:0x0 ID:39139 DF
>*****PA* Seq: 0x19D1554 Ack: 0x58C10 Win: 0x20CD
>The 207 address is our webserver. The YYY address is my internal IP
>on the LAN via NAT. So, what am I seeing? Any help would be
Someone on your network went to a website that refused them
the page they asked for. I've seen these messages a bit, and
all of them so far have been innocent. I went to the sites
myself to see what was up.
The logs for your web server should show what was being
requested and the reasons for refusing it. Sometimes it just
means that the permissions on the requested file have been
Neil Dickey, Ph.D.
Davis Hall 312
Northern Illinois University
More information about the Snort-users