Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-sigs] FPs for ftp_pp: Invalid FTP command

from [Russell Fulton] Network Security [Permanent Link]
Subject: [Snort-sigs] FPs for ftp_pp: Invalid FTP command
Date: Mon, 10 Sep 2007 14:04:57 +1200
We are seeing quite a few alerts like this.  I'm guessing that what is happening here is that the response is being broken over two packets and the preprocessor is taking it as a new request.

If there is something screwy with the server then I can go and talk to the owner since it is local.

Russell

META
SID CID TimeStamp Signature Sig ID
6 9180342 2007-09-10 00:52:31 ftp_pp: Invalid FTP command 2
Sensor Hostname Sensor Interface
monitor-dmzo.isec.auckland.ac.nz dmz sensor
IP
Source Address Dest Address Ver Hdr Len TOS length ID flags offset TTL chksum
130.216.55.91 198.119.135.29 4 5 0 262 55587 2 0 62 23302
Resolved Source Resolved Dest
rdav91.phy.auckland.ac.nz l0acg02.larc.nasa.gov
TCP
Source Port Dest Port Seq Ack Offset Reserved Flags Window Checksum Urgent Ptr
21 62090 1191567141 419123495 8 0 25 65535 21273 0
Options
None
Flags

RB 1 RB 0 URG ACK PSH RST SYN FIN



X X

X
DATA 
20202020446174612074

72616666696320666F72

20746869732073657373

696F6E20776173203230

34303432353231206279

74657320696E20322066

696C65732E0D0A202020

20546F74616C20747261

6666696320666F722074

6869732073657373696F

6E207761732032303430

34333332302062797465

7320696E203220747261

6E73666572732E0D0A32

3231205468616E6B2079

6F7520666F7220757369

6E672074686520465450

2073657276696365206F

6E207264617639312E70

68792E6175636B6C616E

642E61632E6E7A2E0D0A


            
    Data t

raffic for

 this sess

ion was 20

4042521 by

tes in 2 f

iles...   

 Total tra

ffic for t

his sessio

n was 2040

43320 byte

s in 2 tra

nsfers...2

21 Thank y

ou for usi

ng the FTP

 service o

n rdav91.p

hy.aucklan

d.ac.nz...
DATA 
    Data traffic for this session was 204042521 bytes in 2 f
iles...    Total traffic for this session was 204043320 byte
s in 2 transfers...221 Thank you for using the FTP service o
n rdav91.phy.auckland.ac.nz...
 
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Snort-sigs] FPs for ftp_pp: Invalid FTP command, Russell Fulton <=
Previous by Date:  [Snort-sigs] Bleeding Edge Threats Daily Signature Changes, bleeding
Next by Date:  [Snort-sigs] Var that don't work, Thierry CHICH
Previous by Thread:  [Snort-sigs] Sourcefire VRT Certified Snort Rules Update, research
Next by Thread:  [Snort-sigs] Var that don't work, Thierry CHICH
Indexes:  [Date] [Thread] [Top] [All Lists]