[Snort-users] ATTACK RESPONSES 403 Forbidden
Gray . Brendan
bgray2 at ...3738...
Tue Aug 27 06:50:10 EDT 2002
I was about to suggest that too. We have some websites at my company that
are restricted to specific domains and IP addresses. On my snort logs I get
that alert a lot. Everytime someone (or a nimda code red worm) comes to one
of our restricted websites, they get a 403 error, and snort catches it.
From: Matt Yackley [mailto:Matt.Yackley at ...5858...]
Sent: Tuesday, August 27, 2002 9:20 AM
To: 'Alwin Raymundo'; 'snort-users at lists.sourceforge.net'
Subject: RE: [Snort-users] ATTACK RESPONSES 403 Forbidden
Alwin, first few things that come to mind are:
Someone on the network went to a site that returned a 403 page.
What is your External_Net and Home_Net set to?
Can you post the alert in question or provide more detail....
From: Alwin Raymundo [mailto:alrayworld at ...131...]
Sent: Tuesday, August 27, 2002 7:01 AM
To: user snort
Subject: [Snort-users] ATTACK RESPONSES 403 Forbidden
I dont know if this already posted but again I need
your help about this Attack Response.
It showed on my database that I'm the one attacking
some server?, which is impossible. I know this is
false positive alert.
Any idea and comment will be highly appreciated.
Thanks in advance brother in snort.
More information about the Snort-users