[Snort-users] WEB-MISC readme.eml attempt

Roberto Suarez Soto robe at ...3881...
Tue Mar 12 02:37:01 EST 2002

On Mar/11, Basil Saragoza wrote:

> I have local sensor that sniffs lan nic of the firewall. I see a couple of
> entries to the workstations (w2k with IIS5) and it says - WEB-MISC
> readme.eml attempt    .

	I've seen it a few times being a false alarm: reports about Nimda from
security sites, for example. The one alert that is a false alarm only on rare
times is the "readme.eml autoload attempt", which matches the javascript code
that sends the infected file. It can be a false alarm too, but in my
experience it has been so very few times.

	Anyway, your best bet is to check the traffic with tcpdump or ethereal
(if you captured it in tcpdump format, what I'd strongly recommend :-)), and
see what the payload is.
Roberto Suarez Soto					Alfa21 Outsourcing
    robe at ...3881...				     http://www.alfa21.com

More information about the Snort-users mailing list