Re: Remote NIDS

[Paul Schmehl <pauls () utdallas edu>]

There appears to be some sort of script that is triggering the following 
alerts:

SID 1748 FTP command overflow attempt protocol-command-decode
SID 1377 FTP wu-ftp bad file completion attempt [
SID 1378 FTP wu-ftp bad file completion attempt {
SID 1530 FTP format string attempt
SID 1778 FTP EXPLOIT STAT ? dos attempt
SID 2178 FTP USER format string attempt

I'm seeing this combination of alerts being triggered from multiple IP 
addresses.  Each source address triggers all six of these alerts to one or 
more destination addresses.

1) Is anyone else seeing this?

2) Is there a way to write a rule that would trigger if all six of these 
alerts were triggered from one source address?

3) If anyone else has seen this, would you have a capture?  Perhaps there's 
something in the script that could be used to trigger an alert?

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu


-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users