[Snort-sigs] rule possibly misfiring

Kreimendahl, Chad J Chad.Kreimendahl at ...361...
Mon Jan 27 14:17:04 EST 2003


snort2 both of builds 28 and 49

-----Original Message-----
From: Chris Green [mailto:cmg at ...435...] 
Sent: Monday, January 27, 2003 4:01 PM
To: Kreimendahl, Chad J
Cc: snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] rule possibly misfiring


"Kreimendahl, Chad J" <Chad.Kreimendahl at ...361...> writes:

> The following rule:
> POLICY FTP 'STOR 1MB' possible warez site  (sid: 543)
>
> tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"POLICY FTP 'STOR
1MB'
> possible warez site"; flow:to_server,established; content:"STOR";
> nocase; content:"1MB"; nocase; distance:1; classtype:misc-activity;
> sid:543; rev:5;)
>
> Is hitting on the following data: (user/pass/ip:port have been
> modified)

Snort build/version?
-- 
Chris Green <cmg at ...435...>
To err is human, to moo bovine.




More information about the Snort-sigs mailing list