[Snort-sigs] False positives for 1748

Javier Fernandez-Sanguino jfernandez at ...2106...
Mon May 10 03:50:05 EDT 2004


Rule:
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP command overflow 
attempt"; flow:to_server,established,no_stream; dsize:>100; 
reference:bugtraq,4638; classtype:protocol-command-decode; sid:1748; 
rev:4;)
--
Sid:
1748
--

False Positives:

This signature might trigger if an FTP client provides a legitimate 
request which is over 100 characters long. For example, when FTP 
clients store or request files with full path located in deep 
directory hierarchies the full request might result in a filename that 
exceedes 95 characters.





More information about the Snort-sigs mailing list