[Snort-sigs] Error in http://www.snort.org/snort-db/sid.html?sid=618 and 620

Knut Bjornstad kbjo at ...1893...
Tue Sep 23 01:23:06 EDT 2003


I am new to this list - hope I do this correctly.

There is an error in the Snort rule doc-pages for SID 618 and 620 -
probably forgotten because of its triviality:

Attack Scenarios:
"An attacker can determine if ports 21 and 20 are being used for FTP. 
Then the attacker might find out that the FTP service is vulnerable to a 
particular attack and is then able to compromise the host."

This is obviuosly wrong since the rules catches Squid proxy attempts on
port 8080 and 3128.

I am not sure about the right formulation - what about - for SID 618:

Attack Scenarios:
An attacker can determine if port 3128 are used by a Squid Proxy

False postitives:
Links from Squid Proxies in $EXTERNAL_NET

For SID 620:

Attack Scenarios:
An attacker can determine if port 8080 are used by a Squid Proxy

False postitives:
Traffic to ordinary web servers using port 8080


-- 
--Knut Bjornstad -- ErgoIntegration AS ---Oslo, Norway-------
--kbjo at ...1893... -- t:47 23 14 53 36 -- mob: 901 15 917 --




More information about the Snort-sigs mailing list