[Snort-users] WEB-MISC readme.eml attempt

Basil Saragoza snortlst at ...125...
Mon Mar 11 15:50:05 EST 2002

I have local sensor that sniffs lan nic of the firewall. I see a couple of
entries to the workstations (w2k with IIS5) and it says - WEB-MISC
readme.eml attempt    .

Is it an indication that:
1. Someone on this workstation tried to access infected site on the internet
2. or that upload was attempted from internet to local workstation to infect

Should I worry about it or it is just an informational alert?

Workstations run only ftp part of the iis, not the web.

More information about the Snort-users mailing list