[Snort-sigs] rule possibly misfiring

Chris Green cmg at ...435...
Mon Jan 27 14:03:06 EST 2003


"Kreimendahl, Chad J" <Chad.Kreimendahl at ...361...> writes:

> The following rule:
> POLICY FTP 'STOR 1MB' possible warez site  (sid: 543)
>
> tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"POLICY FTP 'STOR 1MB'
> possible warez site"; flow:to_server,established; content:"STOR";
> nocase; content:"1MB"; nocase; distance:1; classtype:misc-activity;
> sid:543; rev:5;)
>
> Is hitting on the following data: (user/pass/ip:port have been
> modified)

Snort build/version?
-- 
Chris Green <cmg at ...435...>
To err is human, to moo bovine.




More information about the Snort-sigs mailing list