Snort-alerts/WEB-MISC-intranet-access

From aldeid

Jump to navigation Jump to search

Trigger

This alert is triggered by the detection of "/intranet/" string in the request.

Example

An access to "http://www.somesite.com/intranet/index.php produces following logs:

[**] [1:1214:7] WEB-MISC intranet access [**]
[Classification: Attempted Information Leak] [Priority: 2]
09/19-13:34:21.666419 70.87.***.***:48116 -> 192.168.***.**:80
TCP TTL:49 TOS:0x0 ID:50079 IpLen:20 DgmLen:381 DF
***AP*** Seq: 0xE32EF10A  Ack: 0x741ACA68  Win: 0x16D0  TcpLen: 32
TCP Options (3) => NOP NOP TS: 579941028 15719250
[Xref => http://cgi.nessus.org/plugins/dump.php3?id=11626]

Retrieved from "https://www.aldeid.com/w/index.php?title=Snort-alerts/WEB-MISC-intranet-access&oldid=5197"

Share your opinion