Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: False alerts generated when FTP'ing Redhat ISO images ...

From: Mike Johnson <mike () enoch org>
Date: Tue, 7 Aug 2001 16:18:06 -0400
Low, Adam [ALow () Prioritytelecom com] wrote:

Hi All,

I'm fairly new to Snort so excuse me if I'm missing something here but ...


You're missing something here.
 

Today I picked up 272 'IDS545/rpc_rpc_tcp_traffic_contains_bin_sh' alerts and 13076 'spp_stream4: WINDOW VIOLATION 
detection' alerts, after the initial panic subsided I discovered that these were triggered by a user FTP'ing the 
Redhat ISO images from ftp.nluug.nl. I did some further checks and guess what, '/bin/sh' appears in the ISO images 
272 times ...


Check out that rule:
alert TCP $EXTERNAL any -> $INTERNAL 32771: (msg: "IDS545/rpc_rpc_tcp_traffic_contains_bin_sh"; flags: A+; content: 
"/bin/sh"; classtype: system-attempt; reference: arachnids,545;)

See the 32771:?  That means all ports greater than or equal to 32771.
So, your FTP session happened to get a port on your local box above
32770.  The ISO will have tons of files in it that contain the string
"/bin/sh", which is what the rule looks for (like you said).

As for the WINDOW VIOLATION, I think those have been cleared up by
the latest beta.
 

So having discovered the cause I find myself perplexed as to why Snort triggered these specific IDS's for this fairly 
normal FTP traffic, am I missing a config directive or something ?


It's a false positive.  You need to either disable that rule (and
live with the possibility of not triggering when that event actually
occurs) or live with the falses.

If you're not worried about RPC based exploits, get rid of this
rule and you'll not have as many alerts.

Mike
-- 
Never trust a man who puts anything other than a finger up his nose. - _Snatch_

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: