Vieri l33t
Joined: 18 Dec 2005 Posts: 870
|
Posted: Mon May 18, 2015 12:18 pm Post subject: snort - Rhino Software Serv-U Web Client |
|
|
Hi,
I'm wondering why snort on my firewall keeps alerting me of "Potentially Bad Traffic" regarding "Rhino Software Serv-U Web Client":
Code: | http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-4873 |
I don't have Rhino software installed so could it be a web client that is being executed each time a user navigates to a specific web site?
Snort reports this remote address:
but if I try to connect:
Code: |
# curl --verbose http://81.26.166.11:80
* Rebuilt URL to: http://81.26.166.11:80/
* Hostname was NOT found in DNS cache
* Trying 81.26.166.11...
* Connected to 81.26.166.11 (81.26.166.11) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.37.1
> Host: 81.26.166.11
> Accept: */*
>
< HTTP/1.1 302 Moved Temporarily
* Server nginx is not blacklisted
< Server: nginx
< Date: Mon, 18 May 2015 12:00:43 GMT
< Content-Type: text/html
< Content-Length: 160
< Connection: keep-alive
< Location: https://a248.e.akamai.net/i-origin.ligatus.com/blank.gif
< Expires: Thu, 01 Jan 1970 00:00:01 GMT
< Cache-Control: no-cache, must-revalidate
< Pragma: no-cache
<
<html>
<head><title>302 Found</title></head>
<body bgcolor="white">
<center><h1>302 Found</h1></center>
<hr><center>nginx/1.2.7</center>
</body>
</html>
* Connection #0 to host 81.26.166.11 left intact
|
I'd like to understand why accessing the above host triggers the following alert in Snort:
Code: |
[**] [119:19:1] (http_inspect) LONG HEADER [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
05/18-13:45:59.050472 10.215.248.192:62061 -> 81.26.166.11:80
TCP TTL:48 TOS:0x0 ID:11937 IpLen:20 DgmLen:1210 DF
***A**** Seq: 0x20D1D6F9 Ack: 0x7EF3CC32 Win: 0x2000 TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-4873]
|
Thanks,
Vieri |
|