[Snort-users] Unusual http traffic

Chris Green cmg at ...671...
Mon Oct 22 14:01:08 EDT 2001


Fraser Hugh <hugh_fraser at ...2804...> writes:

> 1.  (*) text/plain          ( ) text/html           
>
> I've turned off the Code Red and Nimda alert rules since we've
> comfortable with our ability to deal with those on the servers
> themselves. It's more the balance of the URL that looked unusual.

Is your webserver where you got those logs from?  It really looks like
your webserver is interpreting the extra characters that form the /../
part as TLS/SSL control commands.

What webserver is that?

If you turned off the rules, you're not going to see that. Cmd.exe
rules catch common attacks from several differnt types and not just
code red but they certainly aren't 100% reliable.
-- 
Chris Green <cmg at ...671...>
I've had a perfectly wonderful evening. But this wasn't it.
     -- Groucho Marx




More information about the Snort-users mailing list