Snort mailing list archives
Re: FTP passive data transfer FP's and flowbits
From: Crusty Saint <saintcrusty () gmail com>
Date: Wed, 26 Jan 2011 16:41:14 +0100
I confess, the span port was not positioned properly. 2011/1/11 Crusty Saint <saintcrusty () gmail com>
Same for overlapping tcp packets, with any threshold but 0 ( this is on a cisco switch with span/monitor port active ) 2011/1/11 Joel Esler <jesler () sourcefire com> Okay, so let me ask you guys. What can we do (Snort) to make it better?Joel On Mon, Jan 10, 2011 at 8:54 PM, Martin Holste <mcholste () gmail com>wrote:I've never found the alerts generated by the FTP preproc to be helpful for anything other than a heartbeat to prove Snort is up and sniffing traffic. I recently started to suppress all from that gen_id. I'm strongly considering doing the same for the SSL preproc. The amount of resources it takes to investigate each false positive is not worth the off-chance that you will be the one to discover a never-before-seen new FTP/telnet hack. On Mon, Jan 10, 2011 at 1:19 PM, Kungu Panda <kungupanda () gmail com> wrote:I am experiencing a large number of false-positive alerts generatedfrom ftpsessions; specifically ftp data sessions tripping alerts on binary transfers. Any recommendations on associating an ftp command channel with an ftp passive data-channel which, of course, occur on ports from the command channel? Association for use with snort flowbits to identify ftpsessionsand eliminate FPs on troublesome rules. . . Thanks, K.Panda------------------------------------------------------------------------------Gaining the trust of online customers is vital for the success of any company that requires sensitive data to be transmitted over the Web. Learnhow tobest implement a security strategy that keeps consumers' informationsecureand instills the confidence they need to proceed with transactions. http://p.sf.net/sfu/oracle-sfdevnl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------------ Gaining the trust of online customers is vital for the success of any company that requires sensitive data to be transmitted over the Web. Learn how to best implement a security strategy that keeps consumers' information secure and instills the confidence they need to proceed with transactions. http://p.sf.net/sfu/oracle-sfdevnl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- Joel Esler Skype:eslerjoel http://blog.snort.org ------------------------------------------------------------------------------ Gaining the trust of online customers is vital for the success of any company that requires sensitive data to be transmitted over the Web. Learn how to best implement a security strategy that keeps consumers' information secure and instills the confidence they need to proceed with transactions. http://p.sf.net/sfu/oracle-sfdevnl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- - - - Security Engineer - Tags: Analyst Systems Security Linux Firewall Network Web Troubleshooting - If you think I deserve a rant, write me off-list
------------------------------------------------------------------------------ Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsight-sfd2d
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- FTP passive data transfer FP's and flowbits Kungu Panda (Jan 10)
- Re: FTP passive data transfer FP's and flowbits Martin Holste (Jan 10)
- Re: FTP passive data transfer FP's and flowbits Joel Esler (Jan 11)
- Re: FTP passive data transfer FP's and flowbits Crusty Saint (Jan 11)
- Re: FTP passive data transfer FP's and flowbits Crusty Saint (Jan 26)
- Re: FTP passive data transfer FP's and flowbits Joel Esler (Jan 26)
- Re: FTP passive data transfer FP's and flowbits Joel Esler (Jan 11)
- Re: FTP passive data transfer FP's and flowbits Kungu Panda (Jan 11)
- Re: FTP passive data transfer FP's and flowbits Jason Brvenik (Jan 11)
- Re: FTP passive data transfer FP's and flowbits Kungu Panda (Jan 11)
- Re: FTP passive data transfer FP's and flowbits Martin Holste (Jan 11)
- Re: FTP passive data transfer FP's and flowbits Jefferson, Shawn (Jan 11)
- Re: FTP passive data transfer FP's and flowbits Martin Holste (Jan 11)
- Re: FTP passive data transfer FP's and flowbits Martin Holste (Jan 10)
- Re: FTP passive data transfer FP's and flowbits CunningPike (Jan 14)