[Snort-users] WEB-IIS MISC forbidden

Gongya Yu yu at ...4361...
Fri Mar 15 16:21:16 EST 2002


Thanks so much for your points !!

Matt Kettler wrote:

> Both of the mentioned rules are designed to trigger in response to denial
> messages from a web server sent back to a browser.
>
> I'm going to use X to refer to the machine at IP address x.x.x.x and Y to
> refer to the machine at y.y.y.y
>
> The most likely case is that a web browser at Y tried to access a webserver
> at X and X sent back an error message.
>
> It is entirely possible that someone deliberately sent a packet containing
> that message from X to Y, but there really would not be any point to it.
> Why would an attacker generate a forged "access denied" message and send it
> to a network?  I guess you could do this in an attempt to block someone's
> access to a valid website, but that hardly seems useful.
>
> Thus I STRONGLY suspect that X is a real webserver and Y tried to access a
> page that X decided they were not allowed to access. There is little sense
> in any other case, and it certainly would not allow X to conduct any kind
> of significantly useful network attack on Y.
>
> I personally keep these rules disabled. Do I really care how often one of
> my users tries to access an outside website and is told to go away? I mean,
> this is so common that I'd get 10+ hits a day out of a smallish network. If
> I want that information about my own webserver, I can always check the
> server logs, and it will contain more detail.
>
> It's really up to you to determine which rules are useful to you, but a lot
> of the rules which indicate relatively ordinary error messages I eliminate
> from my ruleset (many of the rules fall into this category for me like TTL
> exceeded, echo-request, echo-reply, gnutella/napster/icq/aim/whatever).
>
> At 11:01 PM 4/12/2002 -0700, Gongya Yu wrote:
> >Can anyone make a point to this for me ?
> >
> >[**] WEB-MISC 403 Forbidden [**]
> >08/26-15:06:23.980458 x.x.x.x:80-> y.y.y.y:4415
> >TCP TTL:128 TOS:0x0 ID:8823 IpLen:20 DgmLen:1500 DF
> >***A**** Seq: 0x844F6263 Ack: 0xC9FE43 Win: 0x443D TcpLen: 32
> >TCP Options (3) => NOP NOP TS: 8879756 12737173
> >
> >[**] WEB-IIS Unauthorized IP Access Attempt [**]
> >08/26-15:06:23.980578 x.x.x.x:80-> y.y.y.y:4415
> >TCP TTL:128 TOS:0x0 ID:8824 IpLen:20 DgmLen:1500 DF
> >***A**** Seq: 0x844F680B Ack: 0xC9FE43 Win: 0x443D TcpLen: 32
> >TCP Options (3) => NOP NOP TS: 8879756 12737173
> >
> >x.x.x.x generates these actively or is triggered by y.y.y.y, then
> >generates these alerts ?
> >
> >What I mean is
> >1. y.y.y.y tries to access x.x.x.x on port 80 from source port 4415,
> >then x.x.x.x responses with this alert ?
> >
> >2. or x.x.x.x just tries to access y.y.y.y without any trigger from
> >y.y.y.y
> >
> >    thanks in advance !!!
> >Snort user
> >
> >
> >_______________________________________________
> >Snort-users mailing list
> >Snort-users at lists.sourceforge.net
> >Go to this URL to change user options or unsubscribe:
> >https://lists.sourceforge.net/lists/listinfo/snort-users
> >Snort-users list archive:
> >http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

--
=============================================
Gongya Yu
System Security Engineer
Medical Center, University of Washington
Phone: (206) 543-9388 (W) (425) 369-2548 (H)
Email:  yu at ...4361...
URL: http://gongya.net
==============================================






More information about the Snort-users mailing list