Snort mailing list archives
Re: Remote NIDS
From: Paul Schmehl <pauls () utdallas edu>
Date: Thu, 11 Dec 2003 17:31:36 -0600
There appears to be some sort of script that is triggering the following alerts:
SID 1748 FTP command overflow attempt protocol-command-decode SID 1377 FTP wu-ftp bad file completion attempt [ SID 1378 FTP wu-ftp bad file completion attempt { SID 1530 FTP format string attempt SID 1778 FTP EXPLOIT STAT ? dos attempt SID 2178 FTP USER format string attemptI'm seeing this combination of alerts being triggered from multiple IP addresses. Each source address triggers all six of these alerts to one or more destination addresses.
1) Is anyone else seeing this?2) Is there a way to write a rule that would trigger if all six of these alerts were triggered from one source address?
3) If anyone else has seen this, would you have a capture? Perhaps there's something in the script that could be used to trigger an alert?
Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Remote NIDS Grammer, Christopher S (Dec 10)
- Re: Remote NIDS Sp0oKeR Labs (Dec 10)
- Re: Remote NIDS Dirk Geschke (Dec 11)
- Re: Remote NIDS Paul Schmehl (Dec 11)