[Snort-users] Another snort log

Guillaume guillaume at ...4029...
Wed Feb 27 00:45:03 EST 2002


Dans son précédent message Scott Taylor écrivait :

> Another snort log question. Sorry, trying to get
> up to speed on this.
>
> [**] [1:1201:1] WEB-MISC 403 Forbidden [**]
> [Classification: Attempted Information Leak]
> [Priority: 2]
> 02/25-19:26:21.830746 (myfirewallip):80 ->
> (someoneelsesip):2294
> TCP TTL:64 TOS:0x0 ID:15896 IpLen:20 DgmLen:539
> DF ***AP*** Seq: 0x3911FED Ack: 0x99D71666 Win:
> 0x16D0 TcpLen: 20
>
> This shows up in my snort log. It says I'm the
> source of the alert.(I think) Is that true?
> I have apache running with rules that only allow
> connections from certain IP address's. Would
> that be the cause? It's denying this person
> access or is this really an attack of some sort

It (403 Forbidden) is the kind of message Apache sends to someone trying,
for example, to browse a directory (i.e. www.web.com/test/) thats does not
have the Index settings set. Not necessarily an attack... Take a look in
your Apache logs...

Regards,

Guillaume

[ Sent with SquirrelMail -  http://www.squirrelmail.org     ]






More information about the Snort-users mailing list