[Snort-users] WEB-IIS MISC forbidden

bthaler at ...2720... bthaler at ...2720...
Fri Mar 15 06:51:03 EST 2002

These alerts are generated when the web server responds to a request with a standard HTTP 403 error message.  The two alerts go hand
in hand, and are usually seen together.  To answer your question, number 1 is correct.  This rule is triggered by a response from
the web server, indicating that someone has tried to access a forbidden page.

In my experience, they are fairly harmless, and will just generate noise.  Perhaps some people find value in them, but I tend to
consider them "paranoid" rules.  They can be triggered by anything from a bad link to a website, to a bad configuration of the web
server (no default page in IIS for example).

Without going into too much detail, I'll just say that I'm snorting "a lot" of traffic, and I have yet to see this alert triggered
in response to anything hostile, although others' experience may differ.


Brad T.
Technical Support
WebStream Internet Solutions

brad at ...2720...
(888) 932-2333 Toll-Free
(954) 730-7127 Local
(954) 733-7067 Fax
(954) 730-7405 Help Desk

*******************Internet Email Confidentiality Footer*******************

This communication contains proprietary business information and
may contain confidential information. If the reader of this
message is not the intended recipient, or the employee or agent
responsible to deliver it to the intended recipient, you are
hereby notified that any dissemination, distribution or copying of
this communication is strictly prohibited. If you have received
this communication in error, please immediately destroy, discard,
or erase this communication.

----- Original Message -----
From: "Gongya Yu" <yu at ...4361...>
To: <snort-users at lists.sourceforge.net>
Sent: Saturday, April 13, 2002 1:01 AM
Subject: [Snort-users] WEB-IIS MISC forbidden

> Can anyone make a point to this for me ?
> [**] WEB-MISC 403 Forbidden [**]
> 08/26-15:06:23.980458 x.x.x.x:80-> y.y.y.y:4415
> TCP TTL:128 TOS:0x0 ID:8823 IpLen:20 DgmLen:1500 DF
> ***A**** Seq: 0x844F6263 Ack: 0xC9FE43 Win: 0x443D TcpLen: 32
> TCP Options (3) => NOP NOP TS: 8879756 12737173
> [**] WEB-IIS Unauthorized IP Access Attempt [**]
> 08/26-15:06:23.980578 x.x.x.x:80-> y.y.y.y:4415
> TCP TTL:128 TOS:0x0 ID:8824 IpLen:20 DgmLen:1500 DF
> ***A**** Seq: 0x844F680B Ack: 0xC9FE43 Win: 0x443D TcpLen: 32
> TCP Options (3) => NOP NOP TS: 8879756 12737173
> x.x.x.x generates these actively or is triggered by y.y.y.y, then
> generates these alerts ?
> What I mean is
> 1. y.y.y.y tries to access x.x.x.x on port 80 from source port 4415,
> then x.x.x.x responses with this alert ?
> 2. or x.x.x.x just tries to access y.y.y.y without any trigger from
> y.y.y.y
>    thanks in advance !!!
> Snort user
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

More information about the Snort-users mailing list