[Snort-users] please help ID payload info
rdesmond at ...6547...
Thu Oct 17 07:16:34 EDT 2002
At 09:46 AM 10/15/02 -0600, Randy Bey wrote:
>I am getting a WEB-MISC /etc/passwd hit occasionally, and it has me
>worried. How the heck are they getting what looks like the contents of
>the /etc directory?
To me, it looks like Snort is sniffing traffic related to system
administration tasks. My box doesn't fire when FreeBSD emails me the
nightly alerts, but if your scripts run over the web, then they could
>I don't understand how it gets there, I have authentication set up on
>the server, so a plain old HEAD shouldn't work, but the payload looks
>like the output of an email that is routinely sent out with the 'ASET'
>job that I run daily. ASET is a Solaris thingie that does some HIDS
Again, I haven't had my Tripwire reports trigger alerts, but it might be
because of how they are sent.
>I looked in access_log on the web server and all I see is 401's
>(authentication required) for all HEAD type requests. So why is this
Well, my thinking is that your ASET tool is doing reporting over a channel
that Snort monitors. And since the content matches the /etc/passwd rule, it
triggers an alert.
I would check to see if the time of the alert corresponds to the time when
Does ASET generate web-based reports by any chance?
UCSB Extended Learning Services
More information about the Snort-users