Re: FTP passive data transfer FP's and flowbits

[CunningPike <cunningpike () gmail com>]

On Tue, Jan 11, 2011 at 10:03 AM, Martin Holste <mcholste () gmail com> wrote:
> I think Jason's explanation helps a lot.
>
> Joel, here's what you guys can do to improve things:  Firstly, stop
> issuing preproc alerts from FTP.  If someone could tell me when this
> has actually led to witnessing an attempted break-in, I'd really like
> to hear it.  You could go a step further and focus on getting the data
> in a buffer available to content match if a rule wants it that way.  I
> would argue that this technique should be done for all the preprocs.
> That is, there should be no other generator ID's other than 1.  All
> alerts should be in the form of a rule which refer to specific buffers
> (ftp_data, ssl_cert, etc.) similar to http_uri.  Now that you guys
> have your shiny new SO to debug buffers, this should be easier to
> develop.  That will go a long way towards simplifying configurations
> as well as making it crystal-clear what rules can trigger along the
> lines of the way the text hooks for the SO rules work.

This gets two thumbs up from me.

CP

------------------------------------------------------------------------------
Protect Your Site and Customers from Malware Attacks
Learn about various malware tactics and how to avoid them. Understand 
malware threats, the impact they can have on your business, and how you 
can protect your company and customers by using code signing.
http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users