Home page logo

basics logo Security Basics mailing list archives

Re: X11 Outgoing
From: Dr Aldo Medina <aldomedina () hotpop com>
Date: Fri, 31 Oct 2003 14:59:32 +0400

El vie, 31-10-2003 a las 20:24, Brad Arlt escribió:
On Thu, Oct 30, 2003 at 02:43:45PM +0400, Dr Aldo Medina wrote:
I frequently get this messages in my log, after installing
snort. After looking hundreds of results in Google, I still can find
out if this is a real treat. Any ideas? TIA.

It is in Snort so you can know if there are X11 connections whizzing
through your boundry between network segments.

X11 is the windowing system used by Linux, Solaris, Open/Free/Net BSD,
and many other Unix and Unix-like variants.  There are ports to
Windows and I think MacOS (if MacOS X isn't already running X11

X11 allows running programs on remote machines and sending the display
to the local machine.  If you are familiar with Microsoft Remote
Desktop, or VNC, the spirit is similar though things are accomplished
very much differently.

An X11 connection is the start of a display being sent to a remote
machine, or a remote machine sending its display (or other more evil
things) to a local machine.

If there are supposed to be X11 connections, then this isn't a big
deal, tune Snort to not listen for X11 connections.  

A better approach is to limit this alert to the IPs that should *not*
have X11 connections going to them (or from them) - your enterprise,
Windows machines(maybe), everything in your DMZ (likely), your 9600
baud modem pool, etc.  Then when you see this alert you can freak out
with the propper amount of panic.

This way you can think "Hmm, an X11 connection from my....  credit
card database to... Korea. Ah &*$!" instead of "Hmmm all X11
connections thus far have been false positives, this one is no

Thanks for answering. I once used X11 forwarding, even thru ssh. I don't
use it anymore, however. My question is more related to the treat of
this messages, since almost all are similar to this one:

Oct 31 06:42:25 {mylocalhost} snort: [1:1227:1] X11 outgoing
[Classification: Unknown Traffic] [Priority: 3]: {TCP} -> {mylocalip}:59465

What do you think?. Thanks again.

GPG Public key: Primary site: pgp.mit.edu 0xDED784BF
Alternative: http://aldomedina.dyndns.org/key.gpg

The Presidio integrates PGP data encryption and XML Web Services security to 
simplify the management and deployment of PGP and reduce overall PGP costs 
by up to 80%.
FREE WHITEPAPER & 30 Day Trial - 

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]