[Snort-users] Unusual http traffic

Fraser Hugh hugh_fraser at ...2804...
Tue Oct 23 11:07:06 EDT 2001


They're from an IIS server.

> -----Original Message-----
> From: Chris Green [mailto:cmg at ...671...]
> Sent: Monday, October 22, 2001 5:01 PM
> To: Fraser Hugh
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Unusual http traffic
> 
> 
> Fraser Hugh <hugh_fraser at ...2804...> writes:
> 
> > 1.  (*) text/plain          ( ) text/html           
> >
> > I've turned off the Code Red and Nimda alert rules since we've
> > comfortable with our ability to deal with those on the servers
> > themselves. It's more the balance of the URL that looked unusual.
> 
> Is your webserver where you got those logs from?  It really looks like
> your webserver is interpreting the extra characters that form the /../
> part as TLS/SSL control commands.
> 
> What webserver is that?
> 
> If you turned off the rules, you're not going to see that. Cmd.exe
> rules catch common attacks from several differnt types and not just
> code red but they certainly aren't 100% reliable.
> -- 
> Chris Green <cmg at ...671...>
> I've had a perfectly wonderful evening. But this wasn't it.
>      -- Groucho Marx
> 




More information about the Snort-users mailing list