[Snort-sigs] What is "FTP file_id.diz access" about?
Jason Haar
Jason.Haar at ...651...
Wed Jan 22 14:17:05 EST 2003
On Wed, Jan 22, 2003 at 02:55:35PM -0700, Jim Forster wrote:
> We don't use these file descriptors on our servers for any reason, so I
> should never see them, and haven't had a false yet.
? You're the second one here to say that, however I can't understand what
that has to do with the rule:
alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"FTP file_id.diz access";
flow:to_server,established; content:"RETR "; nocase; content:"file_id.diz";
nocase; classtype:suspicious-filename-detect; sid:1445; rev:3;)
This is triggering on one of our users downloading file_id.diz from *someone
else's* FTP server. It doesn't mean we're running a warez server - but we
may have a user who is downloading warez...
Now that I know what the rule really is, I think it's fine. However,
wouldn't it be better rewritten as:
alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"FTP file_id.diz access -
possible warez download";flow:to_server,established; content:"RETR "; nocase;
content:"file_id.diz";
nocase; classtype:suspicious-filename-detect; sid:1445; rev:3;)
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
More information about the Snort-sigs
mailing list