[Snort-sigs] Sig to locate rogue ftp servers

Jon warchild at ...288...
Wed Feb 12 07:19:02 EST 2003


On Wed, Feb 12, 2003 at 04:46:45PM +0200, Jukka Juslin wrote:
> 
> Dear Jon,
> 
> I don't think this rule really works. I get 100's of false positives each
> day. Your ssh rule is good, though, because ssh is easy to recognize with
> the SSH- in the header. I had similar rule in use before you posted yours.
> 
> I wouldn't recomment using this rule. Comments?

I have yet to get any alerts using this rule, false positives or otherwise.

Could you perhaps give more detail on the packets that are tripping this
rule but are false positives, and tell me a bit about what $HOME_NET and
$EXTERNAL_NET are set to?  

The SSH rule is working perfectly so far.

Thanks,

-jon




More information about the Snort-sigs mailing list