[Snort-users] ATTACK RESPONSES 403 Forbidden

Gray . Brendan bgray2 at ...3738...
Tue Aug 27 06:50:10 EDT 2002


I was about to suggest that too.  We have some websites at my company that
are restricted to specific domains and IP addresses.  On my snort logs I get
that alert a lot.  Everytime someone (or a nimda code red worm) comes to one
of our restricted websites, they get a 403 error, and snort catches it.

Brendan Gray



-----Original Message-----
From: Matt Yackley [mailto:Matt.Yackley at ...5858...]
Sent: Tuesday, August 27, 2002 9:20 AM
To: 'Alwin Raymundo'; 'snort-users at lists.sourceforge.net'
Subject: RE: [Snort-users] ATTACK RESPONSES 403 Forbidden


Alwin, first few things that come to mind are:

Someone on the network went to a site that returned a 403 page.
What is your External_Net and Home_Net set to?
Can you post the alert in question or provide more detail....

Matt

-----Original Message-----
From: Alwin Raymundo [mailto:alrayworld at ...131...]
Sent: Tuesday, August 27, 2002 7:01 AM
To: user snort
Subject: [Snort-users] ATTACK RESPONSES 403 Forbidden


Hi Guys,

I dont know if this already posted but again I need
your help about this Attack Response.

It showed on my database that I'm the one attacking
some server?, which is impossible.  I know this is
false positive alert.

Any idea and comment will be highly appreciated.

Thanks in advance brother in snort.

=====
Alwin Raymundo







More information about the Snort-users mailing list