Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-sigs] False positives on FTP command 100 character limit

from [Sander Steffann] Network Security [Permanent Link]
Subject: [Snort-sigs] False positives on FTP command 100 character limit
Date: Thu, 2 Sep 2004 23:49:42 +0200 
Hi,

I'm getting a lot of false positives on the FTP command size checks, like rule 1748. They are (mostly) caused FTP clients that retrieve a file using the complete path in the RETR command. Is there a reason the limit is at 100 characters, or is it safe to raise that limit to reduce the number of false positives?

Rule 2546 is triggered a lot by the WS-FTP Pro synchronisation tool. It is a tool to synchronise a local directory with a directory on an FTP server. It uses a lot of MDTM commands with the full pathname to compare the local and remote files.

Examples:

length = 109

000 : 4D 44 54 4D 20 32 30 30 34 30 36 32 35 31 38 33   MDTM 20040625183
010 : 33 34 34 20 2F 77 65 62 73 69 74 65 2F 70 65 72   344 /website/per
020 : 73 6F 6E 65 65 6C 2F 70 65 72 73 6F 6E 65 65 6C   soneel/personeel
030 : 73 76 65 72 65 6E 69 67 69 6E 67 2F 66 6F 74 6F   svereniging/foto
040 : 27 73 20 32 35 20 6A 75 6E 69 20 32 30 30 34 2F   's 25 juni 2004/
050 : 44 61 67 6A 65 20 75 69 74 20 70 76 20 32 35 30   Dagje uit pv 250
060 : 36 30 34 20 30 34 39 2E 6A 70 67 0D 0A            604 049.jpg..

length = 130

000 : 4D 44 54 4D 20 32 30 30 31 30 35 31 31 31 30 32   MDTM 20010511102
010 : 30 30 34 20 2F 77 65 62 73 69 74 65 2F 69 6E 68   004 /website/inh
020 : 6F 75 64 2F 6C 65 65 72 6C 69 6E 67 65 6E 7A 6F   oud/leerlingenzo
030 : 72 67 2F 68 61 6E 73 20 76 65 72 62 72 75 67 67   rg/hans verbrugg
040 : 65 6E 2F 69 6E 66 6F 72 6D 61 74 69 65 20 6D 61   en/informatie ma
050 : 74 65 72 69 61 61 6C 2F 76 6F 6F 72 6C 69 63 68   teriaal/voorlich
060 : 74 69 6E 67 20 68 61 6E 73 2F 76 69 73 75 65 6C   ting hans/visuel
070 : 65 20 77 61 61 72 6E 65 6D 69 6E 67 2E 64 6F 63   e waarneming.doc
080 : 0D 0A                                             ..

Thanks,
Sander Steffann.



-------------------------------------------------------
This SF.Net email is sponsored by: thawte's Crypto Challenge Vl
Crack the code and win a Sony DCRHC40 MiniDV Digital Handycam
Camcorder. More prizes in the weekly Lunch Hour Challenge.
Sign up NOW http://ad.doubleclick.net/clk;10740251;10262165;m
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Snort-sigs] False positives on FTP command 100 character limit, Sander Steffann <=
Previous by Date:  Re: [Snort-sigs] typot false positives?, andreas
Next by Date:  Re: [Snort-sigs] what's the type of Pattrem matching slgorithm in sonrt???, sekure
Previous by Thread:  [Snort-sigs] snort not logging into database, neha agrawal
Next by Thread:  [Snort-sigs] False Positives on Rule 2050, John Duksta
Indexes:  [Date] [Thread] [Top] [All Lists]