[Snort-sigs] What is "FTP file_id.diz access" about?

Jim Forster jforster at ...11...
Wed Jan 22 13:54:01 EST 2003


The FILE_ID.DIZ file is just a straight ASCII text file which contains a description of the archive. It is normally placed inside the distribution archive (ZIP) file, so that it travels with the product no matter where it is distributed.  The FILE_ID.DIZ file, as defined by its creators (Clark Development), is a file generated by the program author, and many BBS and online services extract it from uploaded archives automatically.
We don't use these file descriptors on our servers for any reason, so I should never see them, and haven't had a false yet.
I have picked up 3 different servers that our clients had left anon FTP open on that it tagged on.  (The 'anon' users tagged their files with this outside the zip so it was easier to tell what it was), so I still keep it in place on all but one of our sensors.
YMMV. :)

---==On Wed, 22 Jan 2003 15:40:33 -0500, Matt Kettler wrote==---
I can't see it as being particularly alarming. The only thing is that
file_id.diz files are pretty uncommon outside of warez ftp servers. This
rule triggers if one of your machines tries to retrieve a file by this name
from an outside ftp server.

So it could, possibly, indicate that someone in your lan is downloading
warez, but I have occasional seen file_id.diz files on legitimate ftp
servers as well.

I think I'll drop this rule from my ruleset now :)

At 09:00 AM 1/23/2003 +1300, Jason Haar wrote:
>I've just had that rule trigger three times, and it's classified as
>classtype:suspicious-filename-detect.
>
>Googling for that filename just shows references to BBS software - no
>references to anything dangerous.
>
>Is that rule actually relevent for anything?
>
>Thanks!
>
>--
>Cheers
>
>Jason Haar
>Information Security Manager, Trimble Navigation Ltd.
>Phone: +64 3 9635 377 Fax: +64 3 9635 417
>PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
>
>
>-------------------------------------------------------
>This SF.net email is sponsored by: Scholarships for Techies!
>Can't afford IT training? All 2003 ictp students receive scholarships.
>Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more.
>www.ictp.com/training/sourceforge.asp
>_______________________________________________
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/snort-sigs



-------------------------------------------------------
This SF.net email is sponsored by: Scholarships for Techies!
Can't afford IT training? All 2003 ictp students receive scholarships.
Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more.
www.ictp.com/training/sourceforge.asp
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs


--------------------------------------------------------------------
"Some mornings, it's just not worth chewing through the leather straps."
-Emo Philips

Jim Forster, jforster at ...11... on 1/22/2003
Network Administrator
RapidNet, A Golden West Company






More information about the Snort-sigs mailing list