[Snort-sigs] sid 1748 needs retuning

David Wilburn dwilburn at ...8...
Fri Nov 14 05:31:11 EST 2003


SID 1748 (FTP command overflow attempt) needs to be retuned, I suspect. 
  It is now set to alarm on any traffic sent to port 21 with more than 
100 bytes.  The trouble is, when files are referenced with a full path, 
this is very often exceeded with perfectly normal traffic.

What is the realistic minimum amount of data required for a buffer 
overflow?  I suspect it is a bit above 100 bytes.  Can we get the dsize 
cranked up to a more acceptable number?

This is a pretty generic rule, designed as somewhat of a catch-all.  I 
think it would be better to have it lean more towards not catching some 
*really* tight attacks, with the hope that known attacks will have a 
specific signature for them, than the current leaning towards false 
alarming.

Thanks,

Dave Wilburn






More information about the Snort-sigs mailing list