[Snort-users] My Webservers Are Showing Up In My Alerts

Vadim Pushkin wiskbroom at ...125...
Thu Jun 13 15:27:03 EDT 2002

Hi and thank you,

They are merely access to my port 8080, not breakins at
all. Perhaps they are percived this way due to my port
change? I do not know. My servers listen on port 8080
and the users are legit, mostly internal.


>From: Matt Kettler <mkettler at ...4108...>
>To: "Vadim Pushkin" <wiskbroom at ...125...>, 
>snort-users at lists.sourceforge.net
>Subject: Re: [Snort-users] My Webservers Are Showing Up In My Alerts
>Date: Thu, 13 Jun 2002 17:34:34 -0400
>Well, that's not surprising.. A lot of the alerts you see are likely to
>things like codered, IIS cmd.exe and other such things, directory
>traversals, etc.
>These usually represent actual attack attempt on your webserver. It is
>usually being done by a virus or an automated tool. It's not uncommon for a
>webserver to see dozens of these a day. The net is a brutal place, and it's
>not uncommon to see a network block have exploit attempts hundreds of times
>per day. Particularly if snort is watching unfiltered traffic in front of
>your firewall.
>My best recommendation is that if the alerts bother you, and you KNOW that
>your webserver cannot possibly be vulnerable, comment out the rule in the
>.rules file. (for example, if all your webservers are BSD or Linux Apache
>webservers it's pretty safe to comment out the cmd.exe rule).
>It is important to note however that they aren't false alerts, they are
>usually genuine attempts to penetrate your webserver to run malicious code.
>Snort takes the stand of having alerts for attempts, even if they were not
>successful, because most events that do result in a real compromise are
>"noisy" in that they have a lot of failed attempts preceding the one that
>At 07:18 PM 6/13/2002 +0000, Vadim Pushkin wrote:
>>Greetings Fellowes;
>>My snort.conf has the following entries:
>># Above is all on one line
>>Several of my rules have port 80 replaced with $HTTP_SERVERS_PORT.
>>I am getting ALOT of alerts for these as either source or dest.
>>How can I prevent this?
>>Thank you kindly,
>>Vadim (Ukranian Stallion) Pushkin
>>Chat with friends online, try MSN Messenger: http://messenger.msn.com
>>Don't miss the 2002 Sprint PCS Application Developer's Conference
>>August 25-28 in Las Vegas -
>>Snort-users mailing list
>>Snort-users at lists.sourceforge.net
>>Go to this URL to change user options or unsubscribe:
>>Snort-users list archive:

Vadim (Ukranian Stallion) Pushkin

Send and receive Hotmail on your mobile device: http://mobile.msn.com

More information about the Snort-users mailing list