[Snort-sigs] sid 1748 needs retuning
dwilburn at ...8...
Fri Nov 14 05:31:11 EST 2003
SID 1748 (FTP command overflow attempt) needs to be retuned, I suspect.
It is now set to alarm on any traffic sent to port 21 with more than
100 bytes. The trouble is, when files are referenced with a full path,
this is very often exceeded with perfectly normal traffic.
What is the realistic minimum amount of data required for a buffer
overflow? I suspect it is a bit above 100 bytes. Can we get the dsize
cranked up to a more acceptable number?
This is a pretty generic rule, designed as somewhat of a catch-all. I
think it would be better to have it lean more towards not catching some
*really* tight attacks, with the hope that known attacks will have a
specific signature for them, than the current leaning towards false
More information about the Snort-sigs