[Snort-users] Web Cgi finger question

Ryan Sebastian rsebastian at ...5068...
Mon Jun 9 05:55:18 EDT 2003

It is possible someone was surfing with the webserver. Legit traffic then?

-----Original Message-----
From: Snortman [mailto:snortman at ...4371...]
Sent: Friday, June 06, 2003 12:53 PM
To: Ryan Sebastian
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Web Cgi finger question

Ryan Sebastian wrote:

>Hi all. New to snort.
>CGI isnt installed on my webserver and I got this log. Why is my machine
>going outbound to
>[**] [1:839:4] WEB-CGI finger access [**]
>[Classification: Attempted Information Leak] [Priority: 2]
>06/04-23:22:06.134506 ->
>TCP TTL:128 TOS:0x0 ID:34291 IpLen:20 DgmLen:373 DF
>***AP*** Seq: 0x3C2AB497  Ack: 0x605A3CAF  Win: 0x4470  TcpLen: 20
>[Xref => http://cgi.nessus.org/plugins/dump.php3?id=10071][Xref =>
>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0612][Xref =>

Are you sure that no one is surfing the web with a browser on your 

>This SF.net email is sponsored by:  Etnus, makers of TotalView, The best
>thread debugger on the planet. Designed with thread debugging features
>you've never dreamed of, try TotalView 6 free at www.etnus.com.
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:

More information about the Snort-users mailing list