Snort mailing list archives

Re: Another snort log

From: "Guillaume" <guillaume () anteria fr>
Date: Wed, 27 Feb 2002 09:43:53 +0100 (CET)

Dans son précédent message Scott Taylor écrivait :

Another snort log question. Sorry, trying to get
up to speed on this.

[**] [1:1201:1] WEB-MISC 403 Forbidden [**]
[Classification: Attempted Information Leak]
[Priority: 2]
02/25-19:26:21.830746 (myfirewallip):80 ->
(someoneelsesip):2294
TCP TTL:64 TOS:0x0 ID:15896 IpLen:20 DgmLen:539
DF ***AP*** Seq: 0x3911FED Ack: 0x99D71666 Win:
0x16D0 TcpLen: 20

This shows up in my snort log. It says I'm the
source of the alert.(I think) Is that true?
I have apache running with rules that only allow
connections from certain IP address's. Would
that be the cause? It's denying this person
access or is this really an attack of some sort


It (403 Forbidden) is the kind of message Apache sends to someone trying,
for example, to browse a directory (i.e. www.web.com/test/) thats does not
have the Index settings set. Not necessarily an attack... Take a look in
your Apache logs...

Regards,

Guillaume

[ Sent with SquirrelMail -  http://www.squirrelmail.org     ]



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Another snort log Scott Taylor (Feb 26)
- Re: Another snort log Guillaume (Feb 27)