[Snort-sigs] False positives for 1748

Javier Fernandez-Sanguino jfernandez at ...2106...
Tue Jun 15 04:42:11 EDT 2004


Javier Fernandez-Sanguino wrote:

> Rule:
> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP command overflow 
> attempt"; flow:to_server,established,no_stream; dsize:>100; 
> reference:bugtraq,4638; classtype:protocol-command-decode; sid:1748; 
> rev:4;)
> -- 
> Sid:
> 1748
> -- 
> 
> False Positives:
> 
> This signature might trigger if an FTP client provides a legitimate 
> request which is over 100 characters long. For example, when FTP clients 
> store or request files with full path located in deep directory 
> hierarchies the full request might result in a filename that exceedes 95 
> characters.

Any reason why this has not been included in the rule set yet?

Javier





More information about the Snort-sigs mailing list