False positives???

[Latha K <latha_lkris () yahoo com>]

I was playing with Snort 1.8.7 and noticed this. There is a particular attack in ftp.rules file "msg:FTP \RETR 1MB\". I 
believe it indicates an attack should be raised if someone tries to open a FTP session and retrive the file "1 MB".

I issued an FTP "Get" command to retrive the "1 MB" file. This file does not exist in my directory and it returns an 
message "550 1MB: No such file or directory." indicating the "GET" is not successfull. 

But the alert is logged in the snort log even though the attempt is not sucessfull. Is it not possible to co-relate the 
Response of the FTP command and raise alert only it it was successfull???

I think there are quite a few of attacks like this for which you can know my seeing the response if attack is 
sucessfull and then raise alerts?

Any comments

Latha

 

 

 

 

 



---------------------------------
Do You Yahoo!?
Yahoo! Finance - Get real-time stock quotes