[Snort-users] My Webservers Are Showing Up In My Alerts

Vadim Pushkin wiskbroom at ...125...
Thu Jun 13 15:27:03 EDT 2002


Hi and thank you,

They are merely access to my port 8080, not breakins at
all. Perhaps they are percived this way due to my port
change? I do not know. My servers listen on port 8080
and the users are legit, mostly internal.


Vadim


>From: Matt Kettler <mkettler at ...4108...>
>To: "Vadim Pushkin" <wiskbroom at ...125...>, 
>snort-users at lists.sourceforge.net
>Subject: Re: [Snort-users] My Webservers Are Showing Up In My Alerts
>Date: Thu, 13 Jun 2002 17:34:34 -0400
>
>Well, that's not surprising.. A lot of the alerts you see are likely to
>things like codered, IIS cmd.exe and other such things, directory
>traversals, etc.
>
>These usually represent actual attack attempt on your webserver. It is
>usually being done by a virus or an automated tool. It's not uncommon for a
>webserver to see dozens of these a day. The net is a brutal place, and it's
>not uncommon to see a network block have exploit attempts hundreds of times
>per day. Particularly if snort is watching unfiltered traffic in front of
>your firewall.
>
>My best recommendation is that if the alerts bother you, and you KNOW that
>your webserver cannot possibly be vulnerable, comment out the rule in the
>.rules file. (for example, if all your webservers are BSD or Linux Apache
>webservers it's pretty safe to comment out the cmd.exe rule).
>
>It is important to note however that they aren't false alerts, they are
>usually genuine attempts to penetrate your webserver to run malicious code.
>Snort takes the stand of having alerts for attempts, even if they were not
>successful, because most events that do result in a real compromise are
>"noisy" in that they have a lot of failed attempts preceding the one that
>succeeded.
>
>At 07:18 PM 6/13/2002 +0000, Vadim Pushkin wrote:
>>Greetings Fellowes;
>>
>>My snort.conf has the following entries:
>>
>>var HTTP_SERVERS
>>[192.168.11.41/32,192.168.11.42/32,192.168.11.43/32,192.168.11.44/32]
>>
>># Above is all on one line
>>
>>var HTTP_SERVERS_PORT 8080
>>
>>Several of my rules have port 80 replaced with $HTTP_SERVERS_PORT.
>>
>>I am getting ALOT of alerts for these as either source or dest.
>>How can I prevent this?
>>
>>Thank you kindly,
>>
>>-vadim
>>Vadim (Ukranian Stallion) Pushkin
>>
>>
>>_________________________________________________________________
>>Chat with friends online, try MSN Messenger: http://messenger.msn.com
>>
>>
>>_______________________________________________________________
>>
>>Don't miss the 2002 Sprint PCS Application Developer's Conference
>>August 25-28 in Las Vegas -
>>http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink
>>
>>_______________________________________________
>>Snort-users mailing list
>>Snort-users at lists.sourceforge.net
>>Go to this URL to change user options or unsubscribe:
>>https://lists.sourceforge.net/lists/listinfo/snort-users
>>Snort-users list archive:
>>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




-vadim
Vadim (Ukranian Stallion) Pushkin


_________________________________________________________________
Send and receive Hotmail on your mobile device: http://mobile.msn.com





More information about the Snort-users mailing list