[Snort-sigs] False +ves on FTP shadow retrieval attempt and suggested mitigation strategy

Nigel Houghton nigel at ...435...
Tue Jun 22 17:19:34 EDT 2004

On  0, Murat Korkmaz <mkorkmaz at ...2538...> allegedly wrote:
>  I wonder if   "shadow"  ispart of the protocol? Or is it just a string we look for.

No, the rule is looking for the retrieval of what should be a protected
system file. I have recently updated the rule document to give more
information for this rule, it will be up on snort.org in the near future.

Here's some extra information from the doc if you can't wait:

"In this case, the rule will generate an event due to the attempted
transfer of a shadow file. This file is generally used on muli-user
systems to provide greater security for user passwords. This file should
only be readable by the super user."

Nigel Houghton       Research Engineer        Sourcefire Inc.
                 Vulnerability Research Team

In an emergency situation involving two or more officers of equal rank,
seniority will be granted to whichever officer can program a vcr.

More information about the Snort-sigs mailing list