Snort mailing list archives

Re: (no subject)

From: Blake Frantz <blake () mc net>
Date: Mon, 9 Jul 2001 22:43:02 -0500 (CDT)



WinGate is a proxy'ing application used to allow usually SOHO users to
share internet feeds with multiple computers in the LAN.  Wingate listens
on port 8080 -- People know this and scan for misconfigured WinGates
to bounce off of.

The IIS Unicode attack (from my experience) is probably a false positive.
Check the packet payload and your web logs for directory traversal
attempts.

Read this for more info on the attack:
http://www.microsoft.com/technet/security/bulletin/MS01-026.asp

Hope this helps.

Blake


================================================================= 
The Government, like diapers, should be replaced regularly, and
often for the same reasons. 

On Tue, 10 Jul 2001, cboy wrote:

hello~
can anybody tell me what this alert message mean?
"MISC-WinGate-8080-Attempt" and
"spp_http_decode: IIS Unicode attack detected"
i use the snort.conf which snort-1.7 source give.
thanks all.

frank



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

(no subject) Андрей Иванов (Jul 02)
- <Possible follow-ups>
- (no subject) cboy (Jul 09)
  - Re: (no subject) Blake Frantz (Jul 09)
    - Re: (no subject) Dragos Ruiu (Jul 09)
- (no subject) John Johnson (Jul 10)
  - RE: (no subject) Bill Gercken (Jul 11)
  - Re: (no subject) Phil Wood (Jul 11)
- (no subject) Randall Paige (Jul 12)
- (no subject) Blake Frantz (Jul 31)
  - Re: (no subject) Niek Jongerius (Aug 01)
- (no subject) Anupam Bansal (Aug 03)
  - Re: (no subject) Dragos Ruiu (Aug 03)
- (no subject) Patrick W Bass (Aug 03)

(Thread continues...)