[Snort-sigs] False positives for 1748
jfernandez at ...2106...
Tue Jun 15 04:42:11 EDT 2004
Javier Fernandez-Sanguino wrote:
> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP command overflow
> attempt"; flow:to_server,established,no_stream; dsize:>100;
> reference:bugtraq,4638; classtype:protocol-command-decode; sid:1748;
> False Positives:
> This signature might trigger if an FTP client provides a legitimate
> request which is over 100 characters long. For example, when FTP clients
> store or request files with full path located in deep directory
> hierarchies the full request might result in a filename that exceedes 95
Any reason why this has not been included in the rule set yet?
More information about the Snort-sigs