[Snort-users] WEB-IIS MISC forbidden

Gongya Yu yu at ...4361...
Thu Mar 14 22:32:03 EST 2002


Can anyone make a point to this for me ?

[**] WEB-MISC 403 Forbidden [**]
08/26-15:06:23.980458 x.x.x.x:80-> y.y.y.y:4415
TCP TTL:128 TOS:0x0 ID:8823 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0x844F6263 Ack: 0xC9FE43 Win: 0x443D TcpLen: 32
TCP Options (3) => NOP NOP TS: 8879756 12737173

[**] WEB-IIS Unauthorized IP Access Attempt [**]
08/26-15:06:23.980578 x.x.x.x:80-> y.y.y.y:4415
TCP TTL:128 TOS:0x0 ID:8824 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0x844F680B Ack: 0xC9FE43 Win: 0x443D TcpLen: 32
TCP Options (3) => NOP NOP TS: 8879756 12737173

x.x.x.x generates these actively or is triggered by y.y.y.y, then
generates these alerts ?

What I mean is
1. y.y.y.y tries to access x.x.x.x on port 80 from source port 4415,
then x.x.x.x responses with this alert ?

2. or x.x.x.x just tries to access y.y.y.y without any trigger from
y.y.y.y

   thanks in advance !!!
Snort user





More information about the Snort-users mailing list