[Snort-sigs] False positives for 1748

Nigel Houghton nigel at ...435...
Tue Jun 15 09:27:02 EDT 2004


On  0, Javier Fernandez-Sanguino <jfernandez at ...2106...> allegedly wrote:
> Javier Fernandez-Sanguino wrote:
> 
> >Rule:
> >alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP command overflow 
> >attempt"; flow:to_server,established,no_stream; dsize:>100; 
> >reference:bugtraq,4638; classtype:protocol-command-decode; sid:1748; 
> >rev:4;)
> >-- 
> >Sid:
> >1748
> >-- 
> >
> >False Positives:
> >
> >This signature might trigger if an FTP client provides a legitimate 
> >request which is over 100 characters long. For example, when FTP clients 
> >store or request files with full path located in deep directory 
> >hierarchies the full request might result in a filename that exceedes 95 
> >characters.
> 
> Any reason why this has not been included in the rule set yet?

This false positive information was added to the doc last week.

-------------------------------------------------------------
Nigel Houghton       Research Engineer        Sourcefire Inc.
                 Vulnerability Research Team

In an emergency situation involving two or more officers of equal rank,
seniority will be granted to whichever officer can program a vcr.




More information about the Snort-sigs mailing list