Snort mailing list archives
Re: FTP passive data transfer FP's and flowbits
From: Martin Holste <mcholste () gmail com>
Date: Tue, 11 Jan 2011 12:03:54 -0600
I think Jason's explanation helps a lot. Joel, here's what you guys can do to improve things: Firstly, stop issuing preproc alerts from FTP. If someone could tell me when this has actually led to witnessing an attempted break-in, I'd really like to hear it. You could go a step further and focus on getting the data in a buffer available to content match if a rule wants it that way. I would argue that this technique should be done for all the preprocs. That is, there should be no other generator ID's other than 1. All alerts should be in the form of a rule which refer to specific buffers (ftp_data, ssl_cert, etc.) similar to http_uri. Now that you guys have your shiny new SO to debug buffers, this should be easier to develop. That will go a long way towards simplifying configurations as well as making it crystal-clear what rules can trigger along the lines of the way the text hooks for the SO rules work. ------------------------------------------------------------------------------ Protect Your Site and Customers from Malware Attacks Learn about various malware tactics and how to avoid them. Understand malware threats, the impact they can have on your business, and how you can protect your company and customers by using code signing. http://p.sf.net/sfu/oracle-sfdevnl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- FTP passive data transfer FP's and flowbits Kungu Panda (Jan 10)
- Re: FTP passive data transfer FP's and flowbits Martin Holste (Jan 10)
- Re: FTP passive data transfer FP's and flowbits Joel Esler (Jan 11)
- Re: FTP passive data transfer FP's and flowbits Crusty Saint (Jan 11)
- Re: FTP passive data transfer FP's and flowbits Crusty Saint (Jan 26)
- Re: FTP passive data transfer FP's and flowbits Joel Esler (Jan 26)
- Re: FTP passive data transfer FP's and flowbits Joel Esler (Jan 11)
- Re: FTP passive data transfer FP's and flowbits Kungu Panda (Jan 11)
- Re: FTP passive data transfer FP's and flowbits Jason Brvenik (Jan 11)
- Re: FTP passive data transfer FP's and flowbits Kungu Panda (Jan 11)
- Re: FTP passive data transfer FP's and flowbits Martin Holste (Jan 11)
- Re: FTP passive data transfer FP's and flowbits Jefferson, Shawn (Jan 11)
- Re: FTP passive data transfer FP's and flowbits Martin Holste (Jan 11)
- Re: FTP passive data transfer FP's and flowbits Martin Holste (Jan 10)
- Re: FTP passive data transfer FP's and flowbits CunningPike (Jan 14)