Snort mailing list archives
False positives???
From: Latha K <latha_lkris () yahoo com>
Date: Wed, 4 Sep 2002 15:00:33 -0700 (PDT)
I was playing with Snort 1.8.7 and noticed this. There is a particular attack in ftp.rules file "msg:FTP \RETR 1MB\". I believe it indicates an attack should be raised if someone tries to open a FTP session and retrive the file "1 MB". I issued an FTP "Get" command to retrive the "1 MB" file. This file does not exist in my directory and it returns an message "550 1MB: No such file or directory." indicating the "GET" is not successfull. But the alert is logged in the snort log even though the attempt is not sucessfull. Is it not possible to co-relate the Response of the FTP command and raise alert only it it was successfull??? I think there are quite a few of attacks like this for which you can know my seeing the response if attack is sucessfull and then raise alerts? Any comments Latha --------------------------------- Do You Yahoo!? Yahoo! Finance - Get real-time stock quotes
Current thread:
- False positives??? Latha K (Sep 04)
- Re: False positives??? Matt Kettler (Sep 04)