Snort mailing list archives
False alerts generated when FTP'ing Redhat ISO images ...
From: "Low, Adam" <ALow () Prioritytelecom com>
Date: Tue, 7 Aug 2001 18:46:20 +0200
Hi All, I'm fairly new to Snort so excuse me if I'm missing something here but ... Today I picked up 272 'IDS545/rpc_rpc_tcp_traffic_contains_bin_sh' alerts and 13076 'spp_stream4: WINDOW VIOLATION detection' alerts, after the initial panic subsided I discovered that these were triggered by a user FTP'ing the Redhat ISO images from ftp.nluug.nl. I did some further checks and guess what, '/bin/sh' appears in the ISO images 272 times ... So having discovered the cause I find myself perplexed as to why Snort triggered these specific IDS's for this fairly normal FTP traffic, am I missing a config directive or something ? Cheers, Adam _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- False alerts generated when FTP'ing Redhat ISO images ... Low, Adam (Aug 07)
- Re: False alerts generated when FTP'ing Redhat ISO images ... Mike Johnson (Aug 07)