[Snort-users] My Webservers Are Showing Up In My Alerts

Vadim Pushkin wiskbroom at ...125...
Fri Jun 14 10:41:03 EDT 2002


>From: Matt Kettler <mkettler at ...4108...>
>To: "Vadim Pushkin" <wiskbroom at ...125...>, 
>snort-users at lists.sourceforge.net
>Subject: Re: [Snort-users] My Webservers Are Showing Up In My Alerts
>Date: Thu, 13 Jun 2002 17:34:34 -0400
>
>Well, that's not surprising.. A lot of the alerts you see are likely to 
>things like codered, IIS cmd.exe and other such things, directory 
>traversals, etc.
>
>These usually represent actual attack attempt on your webserver. It is 
>usually being done by a virus or an automated tool. It's not uncommon for a 
>webserver to see dozens of these a day. The net is a brutal place, and it's 
>not uncommon to see a network block have exploit attempts hundreds of times 
>per day. Particularly if snort is watching unfiltered traffic in front of 
>your firewall.
>
>My best recommendation is that if the alerts bother you, and you KNOW that 
>your webserver cannot possibly be vulnerable, comment out the rule in the 
>.rules file. (for example, if all your webservers are BSD or Linux Apache 
>webservers it's pretty safe to comment out the cmd.exe rule).
>
>It is important to note however that they aren't false alerts, they

I disagree, I do believe that they may be attempts to misuse
other webservers, my server is a squid proxy server, so it
gets ALOT of stuff passing thru it. It is not my job to track
each one down and determine if it is a legit use or not.

-vadim
Vadim (Ukranian Stallion) Pushkin


_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.





More information about the Snort-users mailing list