[Snort-users] please help ID payload info
mkettler at ...4108...
Tue Oct 15 09:49:05 EDT 2002
Well, first did you check to see if this is actually coming from your
webserver, or an external one? You left any details about that out, so I
figure it's worth asking just to be sure. If it's an external webserver, I
bet it's a webpage containing sample output from a security check tool.
also you claim that's similar to content sent out via email... do you have
some sort of webmail access going where you might be accessing those emails
from your webserver, causing it to legitimately send that content?
If that's actually coming from your webserver, and you don't have webmail,
I'd check for security updates on ALL the webserver tools I was running
running if I were you :)
At 09:46 AM 10/15/2002 -0600, Randy Bey wrote:
>I am getting a WEB-MISC /etc/passwd hit occasionally, and it has me
>worried. How the heck are they getting what looks like the contents of
>the /etc directory?
More information about the Snort-users