[Snort-sigs] False +ves on FTP shadow retrieval attempt and suggested mitigation strategy

Nigel Houghton nigel at ...435...
Tue Jun 22 17:12:24 EDT 2004

On  0, Russell Fulton <r.fulton at ...575...> allegedly wrote:
> --
> False Positives:  This rule will trigger on *any* occurrence of "shadow"
> in the ftp control stream. I suggest requiring a RETR before the
> "shadow" and this will prevent FPs on domain names and usernames etc.

Check your rule, here is the existing Snort rule...

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP shadow retrieval
attempt"; flow:to_server,established; content:"RETR"; nocase;
content:"shadow"; classtype:suspicious-filename-detect; sid:1928; rev:3;)

Nigel Houghton       Research Engineer        Sourcefire Inc.
                 Vulnerability Research Team

In an emergency situation involving two or more officers of equal rank,
seniority will be granted to whichever officer can program a vcr.

More information about the Snort-sigs mailing list