Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-users] WEB-CLIENT Excel malformed FBI record - False positive

from [Jesper Skou Jensen] Network Security [Permanent Link]
Subject: Re: [Snort-users] WEB-CLIENT Excel malformed FBI record - False positive?
Date: Tue, 08 Jul 2008 10:37:08 +0200 
GREAT... I screwed up my maildrop filters and never received any of your 
answers, but I found them in the archive...


List Subscriptions wrote:

Is $EXTERNAL_NET set to 'any'?


No, it's set to !$HOME_NET


Jack Pepper wrote:

"alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any"

which I read as the $HOME_NET is the destination, BUT when I read the
Snort syslog message below, it looks like the "attack" originates from
my webserver. Is that a correct assumption?


not quite. look at the connection that would match this rule:

outside_server:port80 and insideserver:otherport

the way this conversation sets up is when a browser (on the inside)
browses to port 80 (or other HTTP_PORT) on some outside source.

So if you browse to http://www.google.com , the external host will be
on port 80, the inside host will be on some high numbered port.

ok? So this rule reacts to inside users browsing out.


I think I get it, but just to clarify.

1. The user client is on the outside of our network and is accessing one 
of our servers on the inside.

2. This rule must be triggered because of a already established 
connection, like this.

Initial connnection
outside_client:highport -> inside_server:80

Response when user downloads
inside_server:80 -> outside_client:highport

Correct?



which means this is not really an "outside-in attack", but is really a
user downloading something that may contain a poison payload.


That is exactly what is happening. A outside user is downloading a word 
document from one of the servers.

Thanks for clearing that up for me.

-- 

   Jesper S. Jensen
Basisnet og Sikkerhed
Uni-C - Århus, Danmark
    +45 8937-6666

-------------------------------------------------------------------------
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Snort-users] Backend DB's, Jason Haar
Next by Date:  Re: [Snort-users] Backend DB's, Nigel Houghton
Previous by Thread:  Re: [Snort-users] WEB-CLIENT Excel malformed FBI record - False positive?, List Subscriptions
Next by Thread:  Re: [Snort-users] WEB-CLIENT Excel malformed FBI record - False positive?, Jack Pepper
Indexes:  [Date] [Thread] [Top] [All Lists]