[Snort-sigs] What is "FTP file_id.diz access" about?

Brian bmc at ...95...
Wed Jan 22 21:28:02 EST 2003


On Wed, Jan 22, 2003 at 06:06:25PM -0500, Matt Kettler wrote:
> alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"FTP file_id.diz access"; 
> flow:to_server,established; content:"RETR "; nocase; content:"file_id.diz"; 
> nocase;
>  classtype:misc-activity; sid:1445;  rev:2;)
> 
> Note this is from a HOME_NET client to an EXTERNAL_NET server.
> 
> I can't see any significant value in detecting a local client opening such 
> a file on a remote server.

The purpose was to detect the illicit downloading of warez from inside
of the corporation.  However, in the general case I'm gonna agree with
this discussion and change it to look for someone downloading it from an
FTP server on HOME_NET (as thats what all of the other warez sigs look
for).  While I'm at it, those rules are moving into policy.rules, as
thats a policy decision.

-brian




More information about the Snort-sigs mailing list