[Snort-users] WEB-IIS MISC forbidden

Gongya Yu yu at ...4361...
Fri Mar 15 08:08:08 EST 2002


thannks so much !!!

bthaler at ...2720... wrote:

> These alerts are generated when the web server responds to a request with a standard HTTP 403 error message.  The two alerts go hand
> in hand, and are usually seen together.  To answer your question, number 1 is correct.  This rule is triggered by a response from
> the web server, indicating that someone has tried to access a forbidden page.
>
> In my experience, they are fairly harmless, and will just generate noise.  Perhaps some people find value in them, but I tend to
> consider them "paranoid" rules.  They can be triggered by anything from a bad link to a website, to a bad configuration of the web
> server (no default page in IIS for example).
>
> Without going into too much detail, I'll just say that I'm snorting "a lot" of traffic, and I have yet to see this alert triggered
> in response to anything hostile, although others' experience may differ.
>
> Sincerely,
>
> Brad T.
> Technical Support
> WebStream Internet Solutions
>
> brad at ...2720...
> http://www.webstream.net
> (888) 932-2333 Toll-Free
> (954) 730-7127 Local
> (954) 733-7067 Fax
> (954) 730-7405 Help Desk
>
> *******************Internet Email Confidentiality Footer*******************
>
> This communication contains proprietary business information and
> may contain confidential information. If the reader of this
> message is not the intended recipient, or the employee or agent
> responsible to deliver it to the intended recipient, you are
> hereby notified that any dissemination, distribution or copying of
> this communication is strictly prohibited. If you have received
> this communication in error, please immediately destroy, discard,
> or erase this communication.
>
> ----- Original Message -----
> From: "Gongya Yu" <yu at ...4361...>
> To: <snort-users at lists.sourceforge.net>
> Sent: Saturday, April 13, 2002 1:01 AM
> Subject: [Snort-users] WEB-IIS MISC forbidden
>
> > Can anyone make a point to this for me ?
> >
> > [**] WEB-MISC 403 Forbidden [**]
> > 08/26-15:06:23.980458 x.x.x.x:80-> y.y.y.y:4415
> > TCP TTL:128 TOS:0x0 ID:8823 IpLen:20 DgmLen:1500 DF
> > ***A**** Seq: 0x844F6263 Ack: 0xC9FE43 Win: 0x443D TcpLen: 32
> > TCP Options (3) => NOP NOP TS: 8879756 12737173
> >
> > [**] WEB-IIS Unauthorized IP Access Attempt [**]
> > 08/26-15:06:23.980578 x.x.x.x:80-> y.y.y.y:4415
> > TCP TTL:128 TOS:0x0 ID:8824 IpLen:20 DgmLen:1500 DF
> > ***A**** Seq: 0x844F680B Ack: 0xC9FE43 Win: 0x443D TcpLen: 32
> > TCP Options (3) => NOP NOP TS: 8879756 12737173
> >
> > x.x.x.x generates these actively or is triggered by y.y.y.y, then
> > generates these alerts ?
> >
> > What I mean is
> > 1. y.y.y.y tries to access x.x.x.x on port 80 from source port 4415,
> > then x.x.x.x responses with this alert ?
> >
> > 2. or x.x.x.x just tries to access y.y.y.y without any trigger from
> > y.y.y.y
> >
> >    thanks in advance !!!
> > Snort user
> >
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

snort user






More information about the Snort-users mailing list