[Snort-users] IDS alert

Michael Shirk shirkdog_linux at ...125...
Mon May 10 04:50:04 EDT 2004

<"May 7 19:59:43  snort: [1:1010:5] WEB-IIS encoding access [Classification:
<access to a potentially vulnerable web application] [Priority: 2]: {TCP}
< -> xxx.xxx.xxx.xxx:2245 "

<Please let me know how should I make defense for this alert?  It comes very
<requently and with different source IP to different destination IP.

Not sure folks, this looks like return traffic from the source address. Here 
is some banner grabbing recon on port 80 of that source address:

Connected to
Escape character is '^]'.
Get /index.html http/1.1

HTTP/1.0 400 Bad Request
Server: AkamaiGHost
Mime-Version: 1.0
Content-Type: text/html
Content-Length: 161
Expires: Mon, 10 May 2004 11:46:36 GMT
Date: Mon, 10 May 2004 11:46:36 GMT
Connection: close

<TITLE>Bad Request</TITLE>
<H1>Bad Request</H1>
Your browser sent a request that this server could not understand.<P>

Stop worrying about overloading your inbox - get MSN Hotmail Extra Storage! 

More information about the Snort-users mailing list