[Snort-users] what does this mean?

Matt Kettler mkettler at ...4108...
Wed Aug 21 12:59:04 EDT 2002


It means you have HTTP_SERVERS set to 'any' and the snort sensor 
false-positived when it saw /rksh as part of a link on a microsoft.com 
website. (it saw the first part of "/rkshared.js")

Change your HTTP_SERVERS in your snort.conf to only watch your own 
webservers.. Unless of course you suspect someone inside your network is 
likely to launch attacks on outside websites.

At 03:22 PM 8/21/2002 -0400, lisa foreman wrote:

>[**] WEB-CGI rksh access [**]
>08/21-15:16:12.241065 0:6:5B:CD:F1:44 -> 0:0:C:E:39:55 type:0x800 len:0x1E6
>165.x.x.x:1205 -> 207.46.230.220:80 TCP TTL:128 TOS:0x0 ID:17900 IpLen:20
>DgmLen:472 DF
>***AP*** Seq: 0x9F726659  Ack: 0x2634031F  Win: 0x40B0  TcpLen: 20
>47 45 54 20 2F 77 69 6E 64 6F 77 73 32 30 30 30  GET /windows2000
>2F 74 65 63 68 69 6E 66 6F 2F 72 65 73 6B 69 74  /techinfo/reskit
>2F 65 6E 2F 49 6E 74 77 6F 72 6B 2F 72 6B 73 68  /en/Intwork/rksh
>61 72 65 64 2E 6A 73 20 48 54 54 50 2F 31 2E 31  ared.js





More information about the Snort-users mailing list