[Snort-sigs] False +ves on FTP shadow retrieval attempt and suggested mitigation strategy

Murat Korkmaz mkorkmaz at ...2538...
Tue Jun 22 17:11:13 EDT 2004

 I wonder if   "shadow"  ispart of the protocol? Or is it just a string we look for.

 Thanks, Murat

-----Original Message-----
From: Russell Fulton [mailto:r.fulton at ...575...]
Sent: Tuesday, June 22, 2004 4:55 PM
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] False +ves on FTP shadow retrieval attempt and
suggested mitigation strategy

# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work. 
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# $Id$

Rule: FTP shadow retrieval attempt




Detailed Information:

Affected Systems:

Attack Scenarios:

Ease of Attack:

False Positives:  This rule will trigger on *any* occurrence of "shadow"
in the ftp control stream. I suggest requiring a RETR before the
"shadow" and this will prevent FPs on domain names and usernames etc.

False Negatives:

Corrective Action:


Additional References:

This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - 
digital self defense, top technical experts, no vendor pitches, 
unmatched networking opportunities. Visit www.blackhat.com
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net

More information about the Snort-sigs mailing list