[Snort-users] IDS126/X11_OUTGOING_XTERM ?

Jordi Vila jvm at ...6079...
Thu Jun 13 08:37:01 EDT 2002


Hello Hilton.

On my network this occurs often. It seems that somebody on your internal
network is connecting to a X server. The firewall recognizes the XDMCP
protocol used by your internal client, and it opens the required connections
to allow the external X server connect to the internal client and establish
a X session.

Just my 0.02 Euro


> -----Mensaje original-----
> De: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net]En nombre de Hilton De
> Meillon
> Enviado el: jueves, 13 de junio de 2002 16:42
> Para: Snort-users (E-mail)
> Asunto: [Snort-users] IDS126/X11_OUTGOING_XTERM ?
>
>
> Hey all,
>
> I get this sig popping up often:
>
>
> [**] [1:1227:2] X11 outbound client connection detected [**]
> [Classification: Misc activity] [Priority: 3]
> 06/13-17:23:19.974611 xxx.xxx.xx.x:6000 -> 64.4.13.218:1863
> TCP TTL:128 TOS:0x0 ID:61991 IpLen:20 DgmLen:40 DF
> ***A**** Seq: 0xB4D598E3  Ack: 0x18A95242  Win: 0x3C86  TcpLen: 20
> [Xref => http://www.whitehats.com/info/IDS126]
>
> Thing is the destination is pointing to a hotmail host. 64.4.13.218 is
> msgr-cs110.msgr.hotmail.com. the source address is from our
> M$ ISA firewall.
>
>
> Any comments ??.
>
> Regards,
> Hilton De Meillon
>
>
> "Common sense is the collection of prejudices acquired by age
> eighteen."
> - Albert Einstein
>
>
>
> _______________________________________________________________
>
> Don't miss the 2002 Sprint PCS Application Developer's Conference
> August 25-28 in Las Vegas -
http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users






More information about the Snort-users mailing list