[Snort-sigs] rule possibly misfiring

Kreimendahl, Chad J Chad.Kreimendahl at ...361...
Mon Jan 27 13:48:08 EST 2003


The following rule:
POLICY FTP 'STOR 1MB' possible warez site  (sid: 543)

tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"POLICY FTP 'STOR 1MB'
possible warez site"; flow:to_server,established; content:"STOR";
nocase; content:"1MB"; nocase; distance:1; classtype:misc-activity;
sid:543; rev:5;)

Is hitting on the following data: (user/pass/ip:port have been modified)

USER <some user>
PASS <some password>
TYPE A
PORT <ip,port>
STOR PTS.USER.EB125.CHK_+1
QUIT




More information about the Snort-sigs mailing list