'Re: [Snort-sigs] wrong flow side on very old sid 1045 (always'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-sigs
Subject:    Re: [Snort-sigs] wrong flow side on very old sid 1045 (always
From:       Joe Gedeon <joe.gedeon () gmail ! com>
Date:       2011-09-04 22:03:39
Message-ID: CAM1A6Ky5nf55qnQNr1J7GabyxTF5JcJbp2Cx6yOJUqRGzZct_w () mail ! gmail ! com
[Download RAW message or body]

Rmkml,

The sensor is looking for the 403 page from your Servers.  Look at
your web logs and look for what the client was trying to get to to
cause the 403.

On Sun, Sep 4, 2011 at 17:05, rmkml <rmkml@yahoo.fr> wrote:
> Hi,
> Maybe Im find a wrong flow side on very old sid 1045:
> web-iis.rules:# alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any \
> (msg:"WEB-IIS Unauthorized IP Access Attempt"; flow:to_server,established; \
> content:"403"; content:"Forbidden|3A|"; classtype:web-application-attack; sid:1045; \
> rev:11;) but this sig is always exist on last SEU 493.
> Sample:
> HTTP/1.1 403 Forbidden
> Content-Length: 1409
> Content-Type: text/html
> Server: Microsoft-IIS/6.0
> ...
> <h2>HTTP Error 403.4 - Forbidden: SSL is required to view this \
>                 resource.<br>Internet Information Services (IIS)</h2>
> ...
> Regards
> Rmkml
> 
> http://twitter.com/rmkml
> 
> ------------------------------------------------------------------------------
> Special Offer -- Download ArcSight Logger for FREE!
> Finally, a world-class log management solution at an even better
> price-free! And you'll get a free "Love Thy Logs" t-shirt when you
> download Logger. Secure your free ArcSight Logger TODAY!
> http://p.sf.net/sfu/arcsisghtdev2dev
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!
> 



-- 
Registered Linux User # 379282

------------------------------------------------------------------------------
Special Offer -- Download ArcSight Logger for FREE!
Finally, a world-class log management solution at an even better 
price-free! And you'll get a free "Love Thy Logs" t-shirt when you
download Logger. Secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsisghtdev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic