Re: X11 Outgoing

From: Brad Arlt (
Date: 10/31/03

  • Next message: Ansgar -59cobalt- Wiechers: "Re: Personal Firewall for Business use"
    Date: Fri, 31 Oct 2003 15:11:43 -0700
    To: Dr Aldo Medina <>

    On Fri, Oct 31, 2003 at 02:59:32PM +0400, Dr Aldo Medina wrote:
    > Thanks for answering. I once used X11 forwarding, even thru ssh. I don't

    X11 over SSH will not trigger this alert because all the network
    traffic is hidden within your ssh connection (port 22).

    > My question is more related to the treat of this messages,

    This is the Snort rule that causes Snort to care (it is from 1.8.6, it
    may have been improved, but this gives the idea).

    alert tcp $EXTERNAL_NET 6000:6005 -> $HOME_NET any (msg:"X11
    outgoing"; flags: SA; reference:arachnids,126; classtype:unknown;
    sid:1227; rev:1;)

    As we can see, the are only seeing whether there is a network
    connection from port 6000 - 6005 inclusive. These ports are often
    used the X11. But they could be used by something else.

    Your example alert looks like a connection to [] from whatever you local ip
    is/was. Many of the hacked machines I have seen over the last few
    years are in the That said, I am sure they are a
    ISP with real clients doing purhaps legitimate work.

    The point I am shooting at is:

    Everyone can tell you what type of network traffic that caused the
    alert - using various levels of technical detail. But only you can
    say whether that network traffic is bad or not.

    This type of traffic on most of my network wouldn't worry me, I have
    lots of Unix workstations and lots of users with Linux at home on
    cable and DSL services. The run things on their PCs at home while
    working on site, and they run things on site while "working" at
    home. I might leave the alert on for kicks to answer the question "How
    many people use X11 remotely without ssh?"

    If I see this sort of traffic coming from my enterprise, which
    shouldn't be sending *any* network traffic out of our network, then I

    If you can see no reason why your machine(s) should connect to[] then you might have a
    problem. Look into it further. It either should be stopped, or is
    normal network traffic that you should document and alter a rule or
    two so you don't get this alert without good cause.

    If you feel lazy, just block that IP at your firewall and wait for a
    phone call. This isn't the most customer friendly approach, but
    requires almost no effort on your part. The downside is if the
    machine is hacked or hackable you have done nothing to stop that. But
    then "lazy" was the goal... :)

       __o Bradley Arlt Security Team Lead
     _ \<_ University Of Calgary
    (_)/(_) Joyously Canadian Computer Science

    The Presidio integrates PGP data encryption and XML Web Services security to
    simplify the management and deployment of PGP and reduce overall PGP costs
    by up to 80%.
    FREE WHITEPAPER & 30 Day Trial -

  • Next message: Ansgar -59cobalt- Wiechers: "Re: Personal Firewall for Business use"