[Snort-users] My Webservers Are Showing Up In My Alerts

Matt Kettler mkettler at ...4108...
Thu Jun 13 14:32:03 EDT 2002


Well, that's not surprising.. A lot of the alerts you see are likely to 
things like codered, IIS cmd.exe and other such things, directory 
traversals, etc.

These usually represent actual attack attempt on your webserver. It is 
usually being done by a virus or an automated tool. It's not uncommon for a 
webserver to see dozens of these a day. The net is a brutal place, and it's 
not uncommon to see a network block have exploit attempts hundreds of times 
per day. Particularly if snort is watching unfiltered traffic in front of 
your firewall.

My best recommendation is that if the alerts bother you, and you KNOW that 
your webserver cannot possibly be vulnerable, comment out the rule in the 
.rules file. (for example, if all your webservers are BSD or Linux Apache 
webservers it's pretty safe to comment out the cmd.exe rule).

It is important to note however that they aren't false alerts, they are 
usually genuine attempts to penetrate your webserver to run malicious code. 
Snort takes the stand of having alerts for attempts, even if they were not 
successful, because most events that do result in a real compromise are 
"noisy" in that they have a lot of failed attempts preceding the one that 
succeeded.

At 07:18 PM 6/13/2002 +0000, Vadim Pushkin wrote:
>Greetings Fellowes;
>
>My snort.conf has the following entries:
>
>var HTTP_SERVERS 
>[192.168.11.41/32,192.168.11.42/32,192.168.11.43/32,192.168.11.44/32]
>
># Above is all on one line
>
>var HTTP_SERVERS_PORT 8080
>
>Several of my rules have port 80 replaced with $HTTP_SERVERS_PORT.
>
>I am getting ALOT of alerts for these as either source or dest.
>How can I prevent this?
>
>Thank you kindly,
>
>-vadim
>Vadim (Ukranian Stallion) Pushkin
>
>
>_________________________________________________________________
>Chat with friends online, try MSN Messenger: http://messenger.msn.com
>
>
>_______________________________________________________________
>
>Don't miss the 2002 Sprint PCS Application Developer's Conference
>August 25-28 in Las Vegas - 
>http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink
>
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list