Snort mailing list archives

Previous By Date Next
Previous By Thread Next

False alerts generated when FTP'ing Redhat ISO images ...

From: "Low, Adam" <ALow () Prioritytelecom com>
Date: Tue, 7 Aug 2001 18:46:20 +0200
Hi All,

I'm fairly new to Snort so excuse me if I'm missing something here but ...

Today I picked up 272 'IDS545/rpc_rpc_tcp_traffic_contains_bin_sh' alerts and 13076 'spp_stream4: WINDOW VIOLATION 
detection' alerts, after the initial panic subsided I discovered that these were triggered by a user FTP'ing the Redhat 
ISO images from ftp.nluug.nl. I did some further checks and guess what, '/bin/sh' appears in the ISO images 272 times 
...

So having discovered the cause I find myself perplexed as to why Snort triggered these specific IDS's for this fairly 
normal FTP traffic, am I missing a config directive or something ?

Cheers,
Adam

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: