PDA

View Full Version : Snort alarms


quwax
04-18-2007, 11:47 PM
Hello,
while the back up through SuperDuper! from my Powerbook to a disimage on the server is running I get a lot of Snort Warnings like this:
"WEB-MISC cat%20 access"
"WEB-MISC WebDAV search access"
"WEB-MISC /etc/passwd"
"WEB-MISC cross site scripting attempt"
etc.
in the log from SuperDuper! i havbe these entries for the time in question:
11:19:29 PM | Info | /Users
| 11:37:02 PM | Info | /usr
| 11:38:39 PM | Info | /dev
| 11:38:39 PM | Info | /Volumes
| 11:38:39 PM | Info | Ignoring /Volumes/xxx_Bu
| 11:38:39 PM | Info | Ignoring /Volumes/HD_xxx
| 11:38:39 PM | Info | Ignoring /Volumes/bbb
| 11:38:39 PM | Info | Ignoring /Volumes/dddd
| 11:38:39 PM | Info | Ignoring /Volumes/BU_xxxSys
| 11:38:39 PM | Info | Ignoring /Volumes/ccc
| 11:38:39 PM | Info | Ignoring /Volumes/Sys_BaU
| 11:38:39 PM | Info | Ignoring /Volumes/xxxSystem
| 11:38:39 PM | Info | Ignoring /Volumes/HD_System

any idea how can I stop these warnings?

Thanks
Q.

dnanian
04-18-2007, 11:51 PM
I have no idea, Q. We're not doing anything weird at all: we're simply copying files to the image you point us to.

quwax
04-21-2007, 07:45 AM
these warnings are always coming, when the backup is running.
I have this issue with 2 workstations and the strange thing is, it doesn't always cause Snort to produce these warning.
I'm not sure, but I think it appears only when some other network volume is mounted during the backup process. Could it be connected to that?
What's running under the hood from SuperDuper! resync?

Besides that SuperDuper! is working great!
thanks
Q.

dnanian
04-21-2007, 11:19 AM
Nothing is running under the hood that has anything to do with networking. We copy, using standard APIs, to the image: there's no "network" access done except by the lower-level Apple routines that are doing standard network I/O...