[Snort-users] Unusual http traffic
hugh_fraser at ...2804...
Tue Oct 23 11:07:06 EDT 2001
They're from an IIS server.
> -----Original Message-----
> From: Chris Green [mailto:cmg at ...671...]
> Sent: Monday, October 22, 2001 5:01 PM
> To: Fraser Hugh
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Unusual http traffic
> Fraser Hugh <hugh_fraser at ...2804...> writes:
> > 1. (*) text/plain ( ) text/html
> > I've turned off the Code Red and Nimda alert rules since we've
> > comfortable with our ability to deal with those on the servers
> > themselves. It's more the balance of the URL that looked unusual.
> Is your webserver where you got those logs from? It really looks like
> your webserver is interpreting the extra characters that form the /../
> part as TLS/SSL control commands.
> What webserver is that?
> If you turned off the rules, you're not going to see that. Cmd.exe
> rules catch common attacks from several differnt types and not just
> code red but they certainly aren't 100% reliable.
> Chris Green <cmg at ...671...>
> I've had a perfectly wonderful evening. But this wasn't it.
> -- Groucho Marx
More information about the Snort-users