[Snort-users] WEB-MISC readme.eml attempt
Roberto Suarez Soto
robe at ...3881...
Tue Mar 12 02:37:01 EST 2002
On Mar/11, Basil Saragoza wrote:
> I have local sensor that sniffs lan nic of the firewall. I see a couple of
> entries to the workstations (w2k with IIS5) and it says - WEB-MISC
> readme.eml attempt .
I've seen it a few times being a false alarm: reports about Nimda from
security sites, for example. The one alert that is a false alarm only on rare
that sends the infected file. It can be a false alarm too, but in my
experience it has been so very few times.
Anyway, your best bet is to check the traffic with tcpdump or ethereal
(if you captured it in tcpdump format, what I'd strongly recommend :-)), and
see what the payload is.
Roberto Suarez Soto Alfa21 Outsourcing
robe at ...3881... http://www.alfa21.com
More information about the Snort-users