[Snort-sigs] tftp rules classtypes confusing
cmg at ...435...
Thu Apr 10 06:29:05 EDT 2003
"Miller, Eoin" <Miller at ...866...> writes:
> now what seems to be odd is that the classtype is
> "successful-admin". it would seem to make more sense to have an
> "attempted-admin" classification rather than an actual successful
> attack, being that this isnt a response back from my server, but
> rather the attempt from the client that triggered this alert.
The direction the rule was originally written for was as a way to
detect with snort when people successfuly compromised machine where
tftp is one of the common upload mechanisms for toolsets.
Chris Green <cmg at ...435...>
"Not everyone holds these truths to be self-evident, so we've worked
up a proof of them as Appendix A." -- Paul Prescod
More information about the Snort-sigs