[Snort-users] My Webservers Are Showing Up In My Alerts

Vadim Pushkin wiskbroom at ...125...
Fri Jun 14 11:06:02 EDT 2002


>From: matt <mkettler at ...4108...>
>To: "Vadim Pushkin" <wiskbroom at ...125...>, 
>snort-users at lists.sourceforge.net
>Subject: Re: [Snort-users] My Webservers Are Showing Up In My Alerts
>Date: Thu, 13 Jun 2002 20:33:18 -0400
>
>If I'm reading you right, you've fixed one problem, but still have a 
>problem where it looks like your squid server is attacking other people's 
>networks.
>
>Have you tried modifying EXTERNAL_NET to not be "any" but instead be 
>"!$HOME_NET" or "!$HTTP_SERVERS". If you're only interested in inbound 
>attacks I'd highly recommend it as it will speed snort up, and kill this 
>kind of false alert.


You mean use something like this?

alert tcp any !$HTTP_SERVERS -> $HTTP_SERVERS $HTTP_SERVERS_PORT 
(msg:"WEB-CGI calendar access"; flags:A+; uricontent:"/calendar"; nocase; 
classtype:attempted-recon; sid:882; rev:2;)


>
>At 12:24 AM 6/14/2002 +0000, Vadim Pushkin wrote:
>>I already did that, in fact I have this instead:
>>
>>alert tcp $EXTERNAL_NET any -> !$HTTP_SERVERS 8080 (msg:"SCAN Proxy 
>>\(8080\) attempt"; flags:S; classtype:attempted-recon; sid:620; rev:2;)
>>
>>The problem is that these are ALSO my proxy servers running
>>Squid. As such, they are the spring broard into "other" peoples
>>webservers. Because of this I get alot of WEB-cgi calendar,
>>WEB-IIS scripts, etc to these machines. Should I add a "!"
>>into ALL of my rules? I hope not :-)
>>
>>Thanks again,
>>
>>Vad
>


_________________________________________________________________
MSN Photos is the easiest way to share and print your photos: 
http://photos.msn.com/support/worldwide.aspx





More information about the Snort-users mailing list