[Snort-sigs] Sid: 1748 false positives

twig les twigles at ...144...
Tue Feb 24 06:54:12 EST 2004


Rule:   FTP command overflow attempt

--
Sid: 1748

--
False Positives:  AIM using TCP port 21.


Note the timestamps, this is also my confirmed AIM server and I
manually switched AIM to run over TCP 21.  AIM also sets off
false positives for Sid 1378 ("FTP wu-ftp bad file completion
attempt {") when used over TCP 21 but AIM refused to set that
alarm off whilst I was capturing packets.


ACID alert: FTP command overflow attempt    	    2004-02-19
18:26:59 

Packet Capture:
gate# tcpdump -xX -s0 -e src 192.168.1.5 and tcp dst port 21
tcpdump: listening on rl0

18:26:57.310167 0:50:8d:52:b1:0 0:9:5b:70:fb:e4 ip 93:
192.168.1.5.1317 > 205.188.8.69.ftp: P 4124895321:4124895360(39)
ack 1759403800 win 65342 (DF)
0x0000   4500 004f b42f 4000 8006 aeca c0a8 0105       
E..O./@.........
0x0010   cdbc 0845 0525 0015 f5dc e859 68de 5f18       
...E.%.....Yh._.
0x0020   5018 ff3e 715b 0000 2a02 30b5 0021 0004       
P..>q[..*.0..!..
0x0030   0014 0000 0000 0014 0000 0000 0000 0000       
................
0x0040   0001 0a41 7472 6978 2057 306c 6600 02         
...Atrix.W0lf..
18:26:59.033198 0:50:8d:52:b1:0 0:9:5b:70:fb:e4 ip 185:
192.168.1.5.1317 > 205.188.8.69.ftp: P 39:170(131) ack 1 win
65342 (DF)
0x0000   4500 00ab b433 4000 8006 ae6a c0a8 0105       
E....3 at ...2260...
0x0010   cdbc 0845 0525 0015 f5dc e880 68de 5f18       
...E.%......h._.
0x0020   5018 ff3e 475d 0000 2a02 30b6 007d 0004       
P..>G]..*.0..}..
0x0030   0006 0000 0089 0006 3130 3944 3334 4344       
........109D34CD
0x0040   0001 0a41 7472 6978 2057 306c 6600 0200       
...Atrix.W0lf...
0x0050   5a05 0100 0301 0102 0101 004f 0000 0000       
Z..........O....
0x0060   3c48 544d 4c3e 3c42 4f44 5920 4247 434f       
<HTML><BODY.BGCO
0x0070   4c4f 523d 2223 6666 6666 6666 223e 3c46       
LOR="#ffffff"><F
0x0080   4f4e 5420 4c41 4e47 3d22 3022 3e61 696d       
ONT.LANG="0">aim
0x0090   2062 6c6f 7773 3c2f 464f 4e54 3e3c 2f42       
.blows</FONT></B
0x00a0   4f44 593e 3c2f 4854 4d4c 3e                   
ODY></HTML>
^C
68 packets received by filter
0 packets dropped by kernel
gate# 


=====
-----------------------------------------------------------
With a few exceptions, secrecy is deeply incompatible with
democracy and with science.
     --Carl Sagan  
-----------------------------------------------------------

__________________________________
Do you Yahoo!?
Yahoo! Mail SpamGuard - Read only the mail you want.
http://antispam.yahoo.com/tools




More information about the Snort-sigs mailing list