[Snort-users] WEB-IIS cmd.exe access

Ing. Daniel Manrique roadmr at ...5706...
Tue Sep 3 10:47:02 EDT 2002


> I know this is for IIS servers but I am seeing a ton of these in ACID to
> my apache server. Should I ignore?

It's usually a worm (nimda/codered) doing automated probes, so it doesn't 
really know whether your server'll be affected, it's just shooting in the 
dark.

If you know FOR A FACT that your server won't be affected, it's OK to
ignore them or even remove the rule file from snort.conf. That's what I do
since I don't have a single IIS server on my network; altough it was fun
watching the poor worms probing, it got boring fast so I disabled them.





More information about the Snort-users mailing list