[Snort-sigs] What is "FTP file_id.diz access" about?

[Jason Haar]

On Wed, Jan 22, 2003 at 02:55:35PM -0700, Jim Forster wrote:
> We don't use these file descriptors on our servers for any reason, so I
> should never see them, and haven't had a false yet.

? You're the second one here to say that, however I can't understand what
that has to do with the rule:

alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"FTP file_id.diz access";
flow:to_server,established; content:"RETR "; nocase; content:"file_id.diz";
nocase; classtype:suspicious-filename-detect; sid:1445; rev:3;)

This is triggering on one of our users downloading file_id.diz from *someone
else's* FTP server. It doesn't mean we're running a warez server - but we
may have a user who is downloading warez...

Now that I know what the rule really is, I think it's fine. However,
wouldn't it be better rewritten as:

alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"FTP file_id.diz access -
possible warez download";flow:to_server,established; content:"RETR "; nocase; 
content:"file_id.diz";
nocase; classtype:suspicious-filename-detect; sid:1445; rev:3;)


-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1