"James Riden" wrote:
Just FYI - can't think of a good fix right now. This is apt-get (or
possibly debmirror) fetching Debian package 'passwd'.
Generated by BASE v1.0.2 (racquel) on Fri, 11 Mar 2005 14:43:23 +1300
------------------------------------------------------------------------------
#(2 - 19462) [2005-02-25 09:27:23.227] [arachNIDS/213] [snort/356] FTP
passwd retrieval attempt
IPv4: 130.123.a.b -> 130.123.x.y
hlen=5 TOS=0 dlen=104 ID=10852 flags=0 offset=0 TTL=64 chksum=13407
TCP: port=32885 -> dport: 21 flags=***AP*** seq=1565934957
ack=1743706278 off=8 res=0 win=33232 urp=0 chksum=18269
Options:
#1 - NOP len=0
#2 - NOP len=0
#3 - TS len=8 data=005B7D5F0A76D949
Payload: length = 52
000 : 52 45 54 52 20 70 6F 6F 6C 2F 6D 61 69 6E 2F 73 RETR pool/main/s
010 : 2F 73 68 61 64 6F 77 2F 70 61 73 73 77 64 5F 34 /shadow/passwd_4
020 : 2E 30 2E 33 2D 33 30 2E 39 5F 69 33 38 36 2E 64 .0.3-30.9_i386.d
030 : 65 62 0D 0A eb..
Converting to PCRE should take care of most false positives:
alert tcp $EXTERNAL_NET any -> $HOME_NET 21
(msg:"FTP passwd retrieval attempt"; flow:to_server,established;
content:"passwd"; pcre:"/^\s*RETR\s+\S*\b(?-i)passwd\s/smi";
reference:arachnids,213; classtype:suspicious-filename-detect;
sid:356; rev:6;)
Cheers,
nnposter
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
