Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-users] WEB-CLIENT Excel malformed FBI record - False positive

from [List Subscriptions] Network Security [Permanent Link]
Subject: Re: [Snort-users] WEB-CLIENT Excel malformed FBI record - False positive?
Date: Mon, 7 Jul 2008 09:49:09 -0400 
Is $EXTERNAL_NET set to 'any'?

On Mon, Jul 7, 2008 at 8:51 AM, Jesper Skou Jensen
<jesper.skou.jensen@uni-c.dk> wrote:

Hi there,

I've recently deployed a passive Snort sniffer next a bunch of
webservers, and I'm getting quite a lot of "WEB-CLIENT Excel malformed
FBI record" reports. I can't quite figure out if it's false positives or
not.

I've configured the IP's of the webservers as $HOME_NET, but when I look in
"rules/web-client.rules"

it states
"alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any"

which I read as the $HOME_NET is the destination, BUT when I read the
Snort syslog message below, it looks like the "attack" originates from
my webserver. Is that a correct assumption?

(Timestamp and IPs have been changed to protect the innocent! :-)
Jul  7 13:37:00 sysloghost snort: [1:12256:1] WEB-CLIENT Excel malformed
FBI record [Classification: Attempted User Privilege Gain] [Priority:
1]: {TCP} 10.1.1.1:80 -> 10.2.2.2:1229

10.1.1.1 is the webserver
10.2.2.2 is some client


Can any of you guys enlighten me?


--

  Jesper S. Jensen
Basisnet og Sikkerhed
Uni-C - Århus, Danmark

-------------------------------------------------------------------------
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------------------------
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Snort-users] WEB-CLIENT Excel malformed FBI record - False positive?, Jack Pepper
Next by Date:  Re: [Snort-users] Mysql Compile Issue on RHEL 5.2 x86_64, Ian Lists
Previous by Thread:  Re: [Snort-users] WEB-CLIENT Excel malformed FBI record - False positive?, Jack Pepper
Next by Thread:  Re: [Snort-users] WEB-CLIENT Excel malformed FBI record - False positive?, Jesper Skou Jensen
Indexes:  [Date] [Thread] [Top] [All Lists]