[Snort-users] WEB-IIS MISC forbidden

Matt Kettler mkettler at ...4108...
Fri Mar 15 15:35:02 EST 2002

Both of the mentioned rules are designed to trigger in response to denial 
messages from a web server sent back to a browser.

I'm going to use X to refer to the machine at IP address x.x.x.x and Y to 
refer to the machine at y.y.y.y

The most likely case is that a web browser at Y tried to access a webserver 
at X and X sent back an error message.

It is entirely possible that someone deliberately sent a packet containing 
that message from X to Y, but there really would not be any point to it. 
Why would an attacker generate a forged "access denied" message and send it 
to a network?  I guess you could do this in an attempt to block someone's 
access to a valid website, but that hardly seems useful.

Thus I STRONGLY suspect that X is a real webserver and Y tried to access a 
page that X decided they were not allowed to access. There is little sense 
in any other case, and it certainly would not allow X to conduct any kind 
of significantly useful network attack on Y.

I personally keep these rules disabled. Do I really care how often one of 
my users tries to access an outside website and is told to go away? I mean, 
this is so common that I'd get 10+ hits a day out of a smallish network. If 
I want that information about my own webserver, I can always check the 
server logs, and it will contain more detail.

It's really up to you to determine which rules are useful to you, but a lot 
of the rules which indicate relatively ordinary error messages I eliminate 
from my ruleset (many of the rules fall into this category for me like TTL 
exceeded, echo-request, echo-reply, gnutella/napster/icq/aim/whatever).

At 11:01 PM 4/12/2002 -0700, Gongya Yu wrote:
>Can anyone make a point to this for me ?
>[**] WEB-MISC 403 Forbidden [**]
>08/26-15:06:23.980458 x.x.x.x:80-> y.y.y.y:4415
>TCP TTL:128 TOS:0x0 ID:8823 IpLen:20 DgmLen:1500 DF
>***A**** Seq: 0x844F6263 Ack: 0xC9FE43 Win: 0x443D TcpLen: 32
>TCP Options (3) => NOP NOP TS: 8879756 12737173
>[**] WEB-IIS Unauthorized IP Access Attempt [**]
>08/26-15:06:23.980578 x.x.x.x:80-> y.y.y.y:4415
>TCP TTL:128 TOS:0x0 ID:8824 IpLen:20 DgmLen:1500 DF
>***A**** Seq: 0x844F680B Ack: 0xC9FE43 Win: 0x443D TcpLen: 32
>TCP Options (3) => NOP NOP TS: 8879756 12737173
>x.x.x.x generates these actively or is triggered by y.y.y.y, then
>generates these alerts ?
>What I mean is
>1. y.y.y.y tries to access x.x.x.x on port 80 from source port 4415,
>then x.x.x.x responses with this alert ?
>2. or x.x.x.x just tries to access y.y.y.y without any trigger from
>    thanks in advance !!!
>Snort user
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:

More information about the Snort-users mailing list