[Snort-users] My Webservers Are Showing Up In My Alerts
wiskbroom at ...125...
Fri Jun 14 10:41:03 EDT 2002
>From: Matt Kettler <mkettler at ...4108...>
>To: "Vadim Pushkin" <wiskbroom at ...125...>,
>snort-users at lists.sourceforge.net
>Subject: Re: [Snort-users] My Webservers Are Showing Up In My Alerts
>Date: Thu, 13 Jun 2002 17:34:34 -0400
>Well, that's not surprising.. A lot of the alerts you see are likely to
>things like codered, IIS cmd.exe and other such things, directory
>These usually represent actual attack attempt on your webserver. It is
>usually being done by a virus or an automated tool. It's not uncommon for a
>webserver to see dozens of these a day. The net is a brutal place, and it's
>not uncommon to see a network block have exploit attempts hundreds of times
>per day. Particularly if snort is watching unfiltered traffic in front of
>My best recommendation is that if the alerts bother you, and you KNOW that
>your webserver cannot possibly be vulnerable, comment out the rule in the
>.rules file. (for example, if all your webservers are BSD or Linux Apache
>webservers it's pretty safe to comment out the cmd.exe rule).
>It is important to note however that they aren't false alerts, they
I disagree, I do believe that they may be attempts to misuse
other webservers, my server is a squid proxy server, so it
gets ALOT of stuff passing thru it. It is not my job to track
each one down and determine if it is a legit use or not.
Vadim (Ukranian Stallion) Pushkin
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.
More information about the Snort-users