[Snort-sigs] sid 1748 needs retuning

Russell Fulton r.fulton at ...575...
Fri Nov 14 11:43:05 EST 2003

On Sat, 2003-11-15 at 02:29, David Wilburn wrote:
> SID 1748 (FTP command overflow attempt) needs to be retuned, I suspect. 
>   It is now set to alarm on any traffic sent to port 21 with more than 
> 100 bytes.  The trouble is, when files are referenced with a full path, 
> this is very often exceeded with perfectly normal traffic.

I have ended up dropping nearly all the generic field overflows for FTP,
POP and IMAP.  There are two problems that make them very prone to False
     1. As David mentions the limits are unrealistically low in some
     2. There are broken clients out there that rely on end of packet as
        a delimiter and don't include the CR/LF.  Servers seem to cope
        with this OK so the clients don't get fixed :(
The second is a real issue for use since we have a lot of users (30,000)
and no control over the clients they use. It only take a few users with
crap clients to generate dozens of FPs  and render the rules useless :(
Russell Fulton, Network Security Officer, The University of Auckland,
New Zealand.

More information about the Snort-sigs mailing list