[Snort-sigs] question re: FTP wu-ftp file completion attempt {

Edward Balas ebalas at ...570...
Tue Apr 30 08:43:06 EDT 2002


Hey All,

(insert general discaimer re: being new to the
 snort signature arts here...)

In the last week a host was compromized with exploit that
triggered the "FTP wu-ftp file completion attempt { " alert.

My question is the following: the severity of this alert is marked
as misc-attack, but from the events that I observed this event should
be recorded as an attempted-admin at least.

Are there situations where bumping up the severity would cause a false
positive?  In cases such as this, does it make sense to create a new
signature that is more specific?

Edward Balas






More information about the Snort-sigs mailing list