[Snort-users] please help ID payload info

Robby Desmond rdesmond at ...6547...
Thu Oct 17 07:16:34 EDT 2002


At 09:46 AM 10/15/02 -0600, Randy Bey wrote:
>I am getting a WEB-MISC /etc/passwd hit occasionally, and it has me
>worried. How the heck are they getting what looks like the contents of
>the /etc directory?

To me, it looks like Snort is sniffing traffic related to system 
administration tasks. My box doesn't fire when FreeBSD emails me the 
nightly alerts, but if your scripts run over the web, then they could 
trigger it.

>I don't understand how it gets there, I have authentication set up on
>the server, so a plain old HEAD shouldn't work, but the payload looks
>like the output of an email that is routinely sent out with the 'ASET'
>job that I run daily. ASET is a Solaris thingie that does some HIDS
>stuff.

Again, I haven't had my Tripwire reports trigger alerts, but it might be 
because of how they are sent.

>I looked in access_log on the web server and all I see is 401's
>(authentication required) for all HEAD type requests. So why is this
>data here?
<SNIP!>

Well, my thinking is that your ASET tool is doing reporting over a channel 
that Snort monitors. And since the content matches the /etc/passwd rule, it 
triggers an alert.

I would check to see if the time of the alert corresponds to the time when 
ASET runs.

Does ASET generate web-based reports by any chance?

-Robby

Robert Desmond
Systems Administrator
UCSB Extended Learning Services
805-893-4906





More information about the Snort-users mailing list