Snort mailing list archives
Re: False alerts generated when FTP'ing Redhat ISO images ...
From: Mike Johnson <mike () enoch org>
Date: Tue, 7 Aug 2001 16:18:06 -0400
Low, Adam [ALow () Prioritytelecom com] wrote:
Hi All, I'm fairly new to Snort so excuse me if I'm missing something here but ...
You're missing something here.
Today I picked up 272 'IDS545/rpc_rpc_tcp_traffic_contains_bin_sh' alerts and 13076 'spp_stream4: WINDOW VIOLATION detection' alerts, after the initial panic subsided I discovered that these were triggered by a user FTP'ing the Redhat ISO images from ftp.nluug.nl. I did some further checks and guess what, '/bin/sh' appears in the ISO images 272 times ...
Check out that rule: alert TCP $EXTERNAL any -> $INTERNAL 32771: (msg: "IDS545/rpc_rpc_tcp_traffic_contains_bin_sh"; flags: A+; content: "/bin/sh"; classtype: system-attempt; reference: arachnids,545;) See the 32771:? That means all ports greater than or equal to 32771. So, your FTP session happened to get a port on your local box above 32770. The ISO will have tons of files in it that contain the string "/bin/sh", which is what the rule looks for (like you said). As for the WINDOW VIOLATION, I think those have been cleared up by the latest beta.
So having discovered the cause I find myself perplexed as to why Snort triggered these specific IDS's for this fairly normal FTP traffic, am I missing a config directive or something ?
It's a false positive. You need to either disable that rule (and live with the possibility of not triggering when that event actually occurs) or live with the falses. If you're not worried about RPC based exploits, get rid of this rule and you'll not have as many alerts. Mike -- Never trust a man who puts anything other than a finger up his nose. - _Snatch_ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- False alerts generated when FTP'ing Redhat ISO images ... Low, Adam (Aug 07)
- Re: False alerts generated when FTP'ing Redhat ISO images ... Mike Johnson (Aug 07)