This is Interesting: Free IT Magazines  
Home > Archive > Snort > September 2004 > [Snort-users] NEW SNORT USER QUESTIONS





You are viewing an archived Text-only version of the thread. To view this thread in it's original format and/or if you want to reply to this thread please [click here]

Author [Snort-users] NEW SNORT USER QUESTIONS
Bruce Cox

2004-09-22, 10:25 pm

TODAY IS THE FIRST TIME I HAVE USED SNORT ON MY FEDORA
OS. COULD SOMEONE PLEASE TELL ME WHAT THE FOLLOWING
LINES MEAN. WHY DO I GET THESE WARNING EVERYTIME I
VISIT THIS LINUX WEB SITE?
Sep 16 08:09:04 localhost snort: [1:1054:7] WEB-MISC
weblogic/tomcat .jsp view source attempt
[Classification: Web Application Attack] [Priority:
1]: {TCP} 192.168.0.2:32935 -> 209.120.155.233:80
Sep 16 08:12:50 localhost snort: [1:2570:6] WEB-MISC
Invalid HTTP Version String [Classification: Detection
of a non-standard protocol or event] [Priority: 2]:
{TCP} 192.168.0.2:32978 -> 63.111.66.11:80
Sep 16 08:13:18 localhost snort: [1:2570:6] WEB-MISC
Invalid HTTP Version String [Classification: Detection
of a non-standard protocol or event] [Priority: 2]:
{TCP} 192.168.0.2:32990 -> 63.111.66.11:80
Sep 16 08:14:27 localhost snort: [1:1200:10]
ATTACK-RESPONSES Invalid URL [Classification:
Attempted Information Leak] [Priority: 2]: {TCP}
66.77.165.226:80 -> 192.168.0.2:33011
Sep 16 08:15:39 localhost snort: [1:1200:10]
ATTACK-RESPONSES Invalid URL [Classification:
Attempted Information Leak] [Priority: 2]: {TCP}
66.77.165.226:80 -> 192.168.0.2:33007
Sep 16 08:18:32 localhost snort: [1:1200:10]
ATTACK-RESPONSES Invalid URL [Classification:
Attempted Information Leak] [Priority: 2]: {TCP}
66.77.165.226:80 -> 192.168.0.2:33015
Sep 16 08:21:07 localhost snort: [1:1200:10]
ATTACK-RESPONSES Invalid URL [Classification:
Attempted Information Leak] [Priority: 2]: {TCP}
66.77.165.226:80 -> 192.168.0.2:33033

BRUCE



__________________________________
Do you Yahoo!?
Take Yahoo! Mail with you! Get it on your mobile phone.
http://mobile.yahoo.com/maildemo


-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users
Jason

2004-09-22, 10:25 pm

Bruce,

I believe the alerts you are getting are a result of the site design.
Kindly provide the URL of the site causing the alerts. We cannot provide
more insight without more information.

Bruce Cox wrote:

> TODAY IS THE FIRST TIME I HAVE USED SNORT ON MY FEDORA
> OS. COULD SOMEONE PLEASE TELL ME WHAT THE FOLLOWING
> LINES MEAN. WHY DO I GET THESE WARNING EVERYTIME I
> VISIT THIS LINUX WEB SITE?
> Sep 16 08:09:04 localhost snort: [1:1054:7] WEB-MISC
> weblogic/tomcat .jsp view source attempt
> [Classification: Web Application Attack] [Priority:
> 1]: {TCP} 192.168.0.2:32935 -> 209.120.155.233:80
> Sep 16 08:12:50 localhost snort: [1:2570:6] WEB-MISC
> Invalid HTTP Version String [Classification: Detection
> of a non-standard protocol or event] [Priority: 2]:
> {TCP} 192.168.0.2:32978 -> 63.111.66.11:80
> Sep 16 08:13:18 localhost snort: [1:2570:6] WEB-MISC
> Invalid HTTP Version String [Classification: Detection
> of a non-standard protocol or event] [Priority: 2]:
> {TCP} 192.168.0.2:32990 -> 63.111.66.11:80
> Sep 16 08:14:27 localhost snort: [1:1200:10]
> ATTACK-RESPONSES Invalid URL [Classification:
> Attempted Information Leak] [Priority: 2]: {TCP}
> 66.77.165.226:80 -> 192.168.0.2:33011
> Sep 16 08:15:39 localhost snort: [1:1200:10]
> ATTACK-RESPONSES Invalid URL [Classification:
> Attempted Information Leak] [Priority: 2]: {TCP}
> 66.77.165.226:80 -> 192.168.0.2:33007
> Sep 16 08:18:32 localhost snort: [1:1200:10]
> ATTACK-RESPONSES Invalid URL [Classification:
> Attempted Information Leak] [Priority: 2]: {TCP}
> 66.77.165.226:80 -> 192.168.0.2:33015
> Sep 16 08:21:07 localhost snort: [1:1200:10]
> ATTACK-RESPONSES Invalid URL [Classification:
> Attempted Information Leak] [Priority: 2]: {TCP}
> 66.77.165.226:80 -> 192.168.0.2:33033
>
> BRUCE
>
>
>
> __________________________________
> Do you Yahoo!?
> Take Yahoo! Mail with you! Get it on your mobile phone.
> http://mobile.yahoo.com/maildemo
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
> Project Admins to receive an Apple iPod Mini FREE for your judgement on
> who ports your project to Linux PPC the best. Sponsored by IBM.
> Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
> ________________________________________
_______
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists...nfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf....ist=snort-users
>



-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users
Sponsored Links






Free braindumps | Software forum | Database administration forum

Copyright 2003 - 2010 webservertalk.com