[Snort-sigs] What is "FTP file_id.diz access" about?

Matt Kettler mkettler at ...1208...
Wed Jan 22 12:38:06 EST 2003


I can't see it as being particularly alarming. The only thing is that 
file_id.diz files are pretty uncommon outside of warez ftp servers. This 
rule triggers if one of your machines tries to retrieve a file by this name 
from an outside ftp server.

So it could, possibly, indicate that someone in your lan is downloading 
warez, but I have occasional seen file_id.diz files on legitimate ftp 
servers as well.

I think I'll drop this rule from my ruleset now :)

At 09:00 AM 1/23/2003 +1300, Jason Haar wrote:
>I've just had that rule trigger three times, and it's classified as
>classtype:suspicious-filename-detect.
>
>Googling for that filename just shows references to BBS software - no
>references to anything dangerous.
>
>Is that rule actually relevent for anything?
>
>Thanks!
>
>--
>Cheers
>
>Jason Haar
>Information Security Manager, Trimble Navigation Ltd.
>Phone: +64 3 9635 377 Fax: +64 3 9635 417
>PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
>
>
>-------------------------------------------------------
>This SF.net email is sponsored by: Scholarships for Techies!
>Can't afford IT training? All 2003 ictp students receive scholarships.
>Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more.
>www.ictp.com/training/sourceforge.asp
>_______________________________________________
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/snort-sigs





More information about the Snort-sigs mailing list