[Snort-users] Taking action on exploit attempts

Pratik Narang pratik.cse.bits at ...11827...
Sat Sep 22 06:32:24 EDT 2012


Asking this as a general opinion of experienced users...

Just now I see I have had about 40 hits in one second for the rule 1:16008,
which corresponds to CVE-2007-6239:WEB-MISC Multiple Products excessive
HTTP 304 Not Modified responses exploit
attempt<http://www.snort.org/search/sid/16008>
    In this particular case, do I need to do anything?

    What does general wisdom say in this regard? - should such one-off hits
be taken seriously and some action be taken, like blocking the source IP?
(well I just run Snort in IDS mode, so I cant actually take any action, but
wanted to know this to have more understanding of this) Or should admins
usually wait to see repeated hits before deciding that this is not some
false trigger but an actual alert?

Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120922/9a051dc8/attachment.html>


More information about the Snort-users mailing list