[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Attack alert from snort



On Fri, 06 Jul 2001, Philippe Clérié wrote:

> I got the following from snort :
> 
> Active System Attack Alerts
> =-=-=-=-=-=-=-=-=-=-=-=-=-=
> Jul  6 07:48:19 canopus snort[3884]: spp_http_decode: IIS Unicode
> attack detected: 128.95.75.153:1647 -> 208.52.11.121:80
> 
> Active System Attack Alerts
> =-=-=-=-=-=-=-=-=-=-=-=-=-=
> Jul  6 05:36:39 canopus snort[526]: spp_http_decode: IIS Unicode
> attack detected: 204.253.198.48:61383 -> 216.136.172.167:80
> 
> The bottom one particularly worries me as that seems to come from my
> system. Should I worry? If so how do I go about getting out of
> trouble?


You might want to check the payload of the packets and verify whether
this is a genuine positive.

You might be dealing with a false positive here.



greets


Jigal
 

-- 
	In short, his argument is that Holland, Germany and France (the biggest
	 critic of Echelon) are bigger buggers of their own citizens than the 
	Anglo-Saxon nations they're so paranoid about. 
	-<John Leyden The Register>



Reply to: