[Snort-sigs] sid 1748 needs retuning

Russell Fulton r.fulton at ...575...
Fri Nov 14 11:43:05 EST 2003


On Sat, 2003-11-15 at 02:29, David Wilburn wrote:
> SID 1748 (FTP command overflow attempt) needs to be retuned, I suspect. 
>   It is now set to alarm on any traffic sent to port 21 with more than 
> 100 bytes.  The trouble is, when files are referenced with a full path, 
> this is very often exceeded with perfectly normal traffic.

I have ended up dropping nearly all the generic field overflows for FTP,
POP and IMAP.  There are two problems that make them very prone to False
Positives(FPs):
     1. As David mentions the limits are unrealistically low in some
        cases.
     2. There are broken clients out there that rely on end of packet as
        a delimiter and don't include the CR/LF.  Servers seem to cope
        with this OK so the clients don't get fixed :(
The second is a real issue for use since we have a lot of users (30,000)
and no control over the clients they use. It only take a few users with
crap clients to generate dozens of FPs  and render the rules useless :(
-- 
Russell Fulton, Network Security Officer, The University of Auckland,
New Zealand.





More information about the Snort-sigs mailing list