Home page logo
/

basics logo Security Basics mailing list archives

Re: X11 Outgoing
From: Brad Arlt <arlt () cpsc ucalgary ca>
Date: Fri, 31 Oct 2003 09:24:08 -0700

On Thu, Oct 30, 2003 at 02:43:45PM +0400, Dr Aldo Medina wrote:
I frequently get this messages in my log, after installing
snort. After looking hundreds of results in Google, I still can find
out if this is a real treat. Any ideas? TIA.

It is in Snort so you can know if there are X11 connections whizzing
through your boundry between network segments.

X11 is the windowing system used by Linux, Solaris, Open/Free/Net BSD,
and many other Unix and Unix-like variants.  There are ports to
Windows and I think MacOS (if MacOS X isn't already running X11
natively).

X11 allows running programs on remote machines and sending the display
to the local machine.  If you are familiar with Microsoft Remote
Desktop, or VNC, the spirit is similar though things are accomplished
very much differently.

An X11 connection is the start of a display being sent to a remote
machine, or a remote machine sending its display (or other more evil
things) to a local machine.

If there are supposed to be X11 connections, then this isn't a big
deal, tune Snort to not listen for X11 connections.  

A better approach is to limit this alert to the IPs that should *not*
have X11 connections going to them (or from them) - your enterprise,
Windows machines(maybe), everything in your DMZ (likely), your 9600
baud modem pool, etc.  Then when you see this alert you can freak out
with the propper amount of panic.

This way you can think "Hmm, an X11 connection from my....  credit
card database to... Korea. Ah &*$!" instead of "Hmmm all X11
connections thus far have been false positives, this one is no
different."
-----------------------------------------------------------------------
   __o          Bradley Arlt                    Security Team Lead
 _ \<_          arlt () cpsc ucalgary ca                University Of Calgary
(_)/(_)         Joyously Canadian               Computer Science

---------------------------------------------------------------------------
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web Services security to 
simplify the management and deployment of PGP and reduce overall PGP costs 
by up to 80%.
FREE WHITEPAPER & 30 Day Trial - 
http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]