[Snort-users] Web Cgi finger question

Ryan Sebastian rsebastian at ...5068...
Mon Jun 9 05:55:18 EDT 2003


It is possible someone was surfing with the webserver. Legit traffic then?

-----Original Message-----
From: Snortman [mailto:snortman at ...4371...]
Sent: Friday, June 06, 2003 12:53 PM
To: Ryan Sebastian
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Web Cgi finger question


Ryan Sebastian wrote:

>Hi all. New to snort.
>CGI isnt installed on my webserver and I got this log. Why is my machine
>going outbound to 209.75.26.33?
>TIA
>
>
>[**] [1:839:4] WEB-CGI finger access [**]
>[Classification: Attempted Information Leak] [Priority: 2]
>06/04-23:22:06.134506 192.168.0.7:3252 -> 209.75.26.33:80
>TCP TTL:128 TOS:0x0 ID:34291 IpLen:20 DgmLen:373 DF
>***AP*** Seq: 0x3C2AB497  Ack: 0x605A3CAF  Win: 0x4470  TcpLen: 20
>[Xref => http://cgi.nessus.org/plugins/dump.php3?id=10071][Xref =>
>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0612][Xref =>
>http://www.whitehats.com/info/IDS221]
>
>
>Ryan,
>

Are you sure that no one is surfing the web with a browser on your 
webserver?

>
>-------------------------------------------------------
>This SF.net email is sponsored by:  Etnus, makers of TotalView, The best
>thread debugger on the planet. Designed with thread debugging features
>you've never dreamed of, try TotalView 6 free at www.etnus.com.
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>  
>








More information about the Snort-users mailing list