[Snort-users] Should I worry??
chris at ...2949...
Tue Jun 25 20:48:06 EDT 2002
On Tuesday, June 25, 2002, at 09:41 , Anthony Scott wrote:
> Received this alert from Snort:
> [**] [1:1227:2] X11 outbound client connection detected [**]
> [Classification: Misc activity] [Priority: 3]
> 06/24-10:37:44.575620 192.168.1.18:6000 -> 192.168.1.225:1984
> TCP TTL:128 TOS:0x0 ID:12364 IpLen:20 DgmLen:40 DF
> ***A**** Seq: 0x36B34774 Ack: 0x498A1D12 Win: 0x4470 TcpLen: 20
> [Xref => http://www.whitehats.com/info/IDS126]
It's probably bogus - that rule is extremely false positive prone as it
doesn't look for anything specific to X11, just the port number. We get
these all the time on our web servers where the random high source port
the browser used happens to be in the low 6000s. It'd be a good idea to
double-check that someone hasn't installed X on one of those systems
before disabling the rule, though.
More information about the Snort-users