[Snort-users] ATTACK RESPONSES 403 Forbidden

Alwin Raymundo alrayworld at ...131...
Wed Aug 28 18:45:02 EDT 2002


Hi Matt,

Yap, you are right about this because aside from
logging from acid I have the binary files for snort
and I review it using ethereal and I found out that 4
of the attack came from one IP which is dialup and
last one is came from my server and going to the one
with dialup.

Thanks for the input.  I appreciated.


--- Matt Yackley <Matt.Yackley at ...5858...> wrote:
> Alwin, I took another look at these types of alerts
> and on my system, they
> all show my machines as the source of the alert.
> 
> So if it lists your machine as the source, this is
> normal, the rule triggers
> on outgoing traffic that contains the 403 message,
> just letting you know
> that someone tried to access something that they did
> not have rights to.
> All most all of my 403 alerts are triggered by
> people trying to pull up a
> URL like "www.your.web/some/directory/" and when
> there is not a index.html
> file, my systems will not list directory contents so
> they get a 403 and that
> triggers an alert with my server as the source.
> 
> One your alert it looks like someone tried to access
> something that was not
> allowed:
> <H1>Forbidden</H1>.You don't have permission to
> access /.on this server
> .<P>.<HR>.<ADDRESS>Apache/1.3.23
> 
> Hope this helps,
> Matt
> 
> -----Original Message-----
> From: Alwin Raymundo [mailto:alrayworld at ...131...]
> Sent: Wednesday, August 28, 2002 6:52 AM
> To: Matt Yackley
> Subject: RE: [Snort-users] ATTACK RESPONSES 403
> Forbidden
> 
> 
> Dear Matt,
> 
> Thanks for your reply and I appreciate it so well.
> 
> My snort.conf
> 
> var HOME_NET[xxx.xxx.xxx.xxx/24] and so on
> 
> var EXTERNAL_NET !$HOME_NET
> 
> 
> Meta
> ID # 			    Time 	 Triggered Signature
> 2 - 145166 2002-08-28 07:36:34 ATTACK RESPONSES 403
> Forbidden
> Sensor name 	interface 	filter
> 209.47.245.90 	eth1 	 	none 
> Alert Group   none 
> IPsource addr   dest addr   Ver Hdr Len TOS length
> ID flags offset TTL
> chksum
> 209.47.245.90 	81.9.5.66 4 5 0 631 13464 0 0 64
> 59155
> FQDN Source Name Dest. Name
> helium.csgphonedirect.com ds006.eltel.net
> Options     none
> TCP
> source
> port dest  port   R
> 1 R
> 0 U
> R
> G A
> C
> K P
> S
> H R
> S
> T S
> Y
> N F
> I
> aLWINN seq # ack offset res window urp chksum
> 80 1354 X X 1938020777 2123281220 8 0 5792 0 43516
> Options code length data
> #1 NOP 0
> #2 NOP 0
> #3 TS 10 03DBED4108BB7202
> Payload
> 
>  length = 579
> 
> 000 : 48 54 54 50 2F 31 2E 31 20 34 30 33 20 46 6F
> 72  HTTP/1.1 403 For
> 010 : 62 69 64 64 65 6E 0D 0A 44 61 74 65 3A 20 57
> 65  bidden..Date: We
> 020 : 64 2C 20 32 38 20 41 75 67 20 32 30 30 32 20
> 31  d, 28 Aug 2002 1
> 030 : 31 3A 33 36 3A 33 34 20 47 4D 54 0D 0A 53 65
> 72  1:36:34 GMT..Ser
> 040 : 76 65 72 3A 20 41 70 61 63 68 65 2F 31 2E 33
> 2E  ver: Apache/1.3.
> 050 : 32 33 20 28 55 6E 69 78 29 20 20 28 52 65 64
> 2D  23 (Unix)  (Red-
> 060 : 48 61 74 2F 4C 69 6E 75 78 29 20 6D 6F 64 5F
> 70  Hat/Linux) mod_p
> 070 : 79 74 68 6F 6E 2F 32 2E 37 2E 38 20 50 79 74
> 68  ython/2.7.8 Pyth
> 080 : 6F 6E 2F 31 2E 35 2E 32 20 6D 6F 64 5F 73 73
> 6C  on/1.5.2 mod_ssl
> 090 : 2F 32 2E 38 2E 37 20 4F 70 65 6E 53 53 4C 2F
> 30  /2.8.7 OpenSSL/0
> 0a0 : 2E 39 2E 36 62 20 44 41 56 2F 31 2E 30 2E 33
> 20  .9.6b DAV/1.0.3 
> 0b0 : 50 48 50 2F 34 2E 31 2E 32 20 6D 6F 64 5F 70
> 65  PHP/4.1.2 mod_pe
> 0c0 : 72 6C 2F 31 2E 32 36 20 6D 6F 64 5F 74 68 72
> 6F  rl/1.26 mod_thro
> 0d0 : 74 74 6C 65 2F 33 2E 31 2E 32 0D 0A 43 6F 6E
> 6E  ttle/3.1.2..Conn
> 0e0 : 65 63 74 69 6F 6E 3A 20 63 6C 6F 73 65 0D 0A
> 43  ection: close..C
> 0f0 : 6F 6E 74 65 6E 74 2D 54 79 70 65 3A 20 74 65
> 78  ontent-Type: tex
> 100 : 74 2F 68 74 6D 6C 3B 20 63 68 61 72 73 65 74
> 3D  t/html; charset=
> 110 : 69 73 6F 2D 38 38 35 39 2D 31 0D 0A 0D 0A 3C
> 21  iso-8859-1....<!
> 120 : 44 4F 43 54 59 50 45 20 48 54 4D 4C 20 50 55
> 42  DOCTYPE HTML PUB
> 130 : 4C 49 43 20 22 2D 2F 2F 49 45 54 46 2F 2F 44
> 54  LIC "-//IETF//DT
> 140 : 44 20 48 54 4D 4C 20 32 2E 30 2F 2F 45 4E 22
> 3E  D HTML 2.0//EN">
> 150 : 0A 3C 48 54 4D 4C 3E 3C 48 45 41 44 3E 0A 3C
> 54  .<HTML><HEAD>.<T
> 160 : 49 54 4C 45 3E 34 30 33 20 46 6F 72 62 69 64
> 64  ITLE>403 Forbidd
> 170 : 65 6E 3C 2F 54 49 54 4C 45 3E 0A 3C 2F 48 45
> 41  en</TITLE>.</HEA
> 180 : 44 3E 3C 42 4F 44 59 3E 0A 3C 48 31 3E 46 6F
> 72  D><BODY>.<H1>For
> 190 : 62 69 64 64 65 6E 3C 2F 48 31 3E 0A 59 6F 75
> 20  bidden</H1>.You 
> 1a0 : 64 6F 6E 27 74 20 68 61 76 65 20 70 65 72 6D
> 69  don't have permi
> 1b0 : 73 73 69 6F 6E 20 74 6F 20 61 63 63 65 73 73
> 20  ssion to access 
> 1c0 : 2F 0A 6F 6E 20 74 68 69 73 20 73 65 72 76 65
> 72  /.on this server
> 1d0 : 2E 3C 50 3E 0A 3C 48 52 3E 0A 3C 41 44 44 52
> 45  .<P>.<HR>.<ADDRE
> 1e0 : 53 53 3E 41 70 61 63 68 65 2F 31 2E 33 2E 32
> 33  SS>Apache/1.3.23
> 1f0 : 20 53 65 72 76 65 72 20 61 74 20 73 74 61 74
> 75   Server at statu
> 200 : 73 2E 61 75 74 6F 6D 61 74 65 64 6D 61 72 6B
> 65  s.automatedmarke
> 210 : 74 69 6E 67 73 6F 6C 75 74 69 6F 6E 73 2E 63
> 6F  tingsolutions.co
> 220 : 6D 20 50 6F 72 74 20 38 30 3C 2F 41 44 44 52
> 45  m Port 80</ADDRE
> 230 : 53 53 3E 0A 3C 2F 42 4F 44 59 3E 3C 2F 48 54
> 4D  SS>.</BODY></HTM
> 240 : 4C 3E 0A                                      
>   L>.
> 
> --- Matt Yackley <Matt.Yackley at ...5858...>
> wrote:
> > Alwin, first few things that come to mind are:
> > 
> > Someone on the network went to a site that
> returned
> > a 403 page.
> > What is your External_Net and Home_Net set to?
> > Can you post the alert in question or provide more
> > detail....
> > 
> > Matt
> > 
> > -----Original Message-----
> > From: Alwin Raymundo [mailto:alrayworld at ...131...]
> > Sent: Tuesday, August 27, 2002 7:01 AM
> > To: user snort
> > Subject: [Snort-users] ATTACK RESPONSES 403
> > Forbidden
> > 
> > 
> > Hi Guys,
> > 
> > I dont know if this already posted but again I
> need
> > your help about this Attack Response.
> > 
> > It showed on my database that I'm the one
> attacking
> > some server?, which is impossible.  I know this is
> > false positive alert.
> > 
> > Any idea and comment will be highly appreciated.
> > 
> > Thanks in advance brother in snort.
> > 
> > =====
> > Alwin Raymundo
> 
=== message truncated ===


=====
Alwin Raymundo

__________________________________________________
Do You Yahoo!?
Yahoo! Finance - Get real-time stock quotes
http://finance.yahoo.com




More information about the Snort-users mailing list