[Snort-sigs] Fwd: false positive for #615

james jaffeld at ...2058...
Tue Dec 30 07:50:07 EST 2003


Sid: 615



Detailed Information:

Affected Systems:

Attack Scenarios:

Ease of Attack:

False Positives:
Ftp clients open a source port of tcp >  1023 (an 'ephemeral' port).  If the 
client opens port 1080 (which is greater than 1023) for the
data connection, this rule will be triggered by return packets from the ftp 
server.  One way to tighten the rule might be to preceed it with a pass rule 
for an 'established' packet to 1080 and then have the current rule.  This 
would only work where passive ftp, where the client initiates both control 
and data sessions, is exclusively employed.  Normal ftp requires the server 
to initiate a connection to the client for data transfers after the client 
sets up a control session.  I don't see a way to distinguish a scan from a 
legitimate normal ftp data connection.  Both would have a syn packet where 
src=tcp 20 dst = 1080 .  An application or stateful firewall would be able to 
block the scan, but I don't see how to write a rule to spot it in Snort.  

False Negatives:

Corrective Action:


Additional References:

Do you Yahoo!?
New Yahoo! Photos - easier uploading and sharing.



I got a lot of bad ideas in my head.  
	-Travis Bickle

More information about the Snort-sigs mailing list