[Snort-sigs] tftp rules classtypes confusing

Chris Green cmg at ...435...
Thu Apr 10 06:29:05 EDT 2003

"Miller, Eoin" <Miller at ...866...> writes:

> now what seems to be odd is that the classtype is
> "successful-admin". it would seem to make more sense to have an
> "attempted-admin" classification rather than an actual successful
> attack, being that this isnt a response back from my server, but
> rather the attempt from the client that triggered this alert.

The direction the rule was originally written for was as a way to
detect with snort when people successfuly compromised machine where
tftp is one of the common upload mechanisms for toolsets.
Chris Green <cmg at ...435...>
 "Not everyone holds these truths to be self-evident, so we've worked
                  up a proof of them as Appendix A." --  Paul Prescod

More information about the Snort-sigs mailing list