Snort mailing list archives

Re: WEB-MISC readme.eml attempt

From: Roberto Suarez Soto <robe () alfa21 com>
Date: Tue, 12 Mar 2002 11:35:56 +0100

On Mar/11, Basil Saragoza wrote:

I have local sensor that sniffs lan nic of the firewall. I see a couple of
entries to the workstations (w2k with IIS5) and it says - WEB-MISC
readme.eml attempt    .


        I've seen it a few times being a false alarm: reports about Nimda from
security sites, for example. The one alert that is a false alarm only on rare
times is the "readme.eml autoload attempt", which matches the javascript code
that sends the infected file. It can be a false alarm too, but in my
experience it has been so very few times.

        Anyway, your best bet is to check the traffic with tcpdump or ethereal
(if you captured it in tcpdump format, what I'd strongly recommend :-)), and
see what the payload is.
        
-- 
Roberto Suarez Soto                                     Alfa21 Outsourcing
    robe () alfa21 com                               http://www.alfa21.com

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

WEB-MISC readme.eml attempt Basil Saragoza (Mar 11)
- Re: WEB-MISC readme.eml attempt Phil Wood (Mar 11)
- Re: WEB-MISC readme.eml attempt Roberto Suarez Soto (Mar 12)