[Snort-users] Should I worry??

Chris Adams chris at ...2949...
Tue Jun 25 20:48:06 EDT 2002


On Tuesday, June 25, 2002, at 09:41 , Anthony Scott wrote:
> Received this alert from Snort:
>  
> [**] [1:1227:2] X11 outbound client connection detected [**]
> [Classification: Misc activity] [Priority: 3]
> 06/24-10:37:44.575620 192.168.1.18:6000 -> 192.168.1.225:1984
> TCP TTL:128 TOS:0x0 ID:12364 IpLen:20 DgmLen:40 DF
> ***A**** Seq: 0x36B34774 Ack: 0x498A1D12 Win: 0x4470 TcpLen: 20
> [Xref => http://www.whitehats.com/info/IDS126]

It's probably bogus - that rule is extremely false positive prone as it 
doesn't look for anything specific to X11, just the port number. We get 
these all the time on our web servers where the random high source port 
the browser used happens to be in the low 6000s. It'd be a good idea to 
double-check that someone hasn't installed X on one of those systems 
before disabling the rule, though.

Chris





More information about the Snort-users mailing list