Symantec™ Security Gateways Reference Guide - Sawmill

IDS eventsSuspicious activity441NNTP Malformed DataBase Event:Details:Response:Affected:NNTPCLI_INVALID_ASCIIThe NNTP client sent a command with characters outside the ASCII range allowed. It is possiblethis indicates an attempt to compromise the server.The packet contents should be examined and the server should be audited. Valid ASCII charactersare x00 - 0x7f inclusive.No specific targets.False Positives: None known.ReferencesNNTP SpecificationsNNTP Malformed DataBase Event:Details:Response:Affected:NNTPCLI_INVALID_COMMANDThe NNTP client sent an unrecognized command to the server. This could indicate a compromisedserver.Audit of the server is recommended. If seen in sufficient volume or variation, location and audit ofclient is recommended.No specific targets.False Positives: It is possible this is a news client or server using an unofficial protocol extension or non-compliantNNTP implementation.ReferencesNNTP SpecificationsNNTP Malformed DataBase Event:Details:Response:Affected:NNTPSER_INVALID_RESPONSEThe NNTP server sent a response that did not comply with the RFC. This event is triggered whenthe response does not start with a three digit numeric response code. It is possible this indicates anattempt to compromise the server.The packet contents should be examined and the server should be audited.No specific targets.False Positives: It is possible this is a news client or server using an unofficial protocol extension or non-compliantNNTP implementation.ReferencesNNTP SpecificationsNNTP Malformed DataBase Event:Details:Response:Affected:NNTPCLI_INVALID_TEXTThe NNTP client sent data outside of the range allowed. It is possible this indicates an attempt tocompromise the server.The packet contents should be examined and the server should be audited.No specific targets.False Positives: None known.ReferencesNNTP Specifications