[Snort-sigs] FP on 2048 "MISC rsyncd overflow attempt"

Jason Haar Jason.Haar at ...651...
Sat Apr 16 03:57:16 EDT 2005

I'm continually seeing this rule trigger on an rsync between two of our 
Linux boxes - both using rsync-2.6.4. Basically it's a rsnapshot backup 
script that runs every hour, and snort triggers - well - every hour... 
The "-z" option is being used - which means the data is gzip'ped - so 
it's continually changing, but it looks to me like there are a bunch of 
NULLs at the beginning the the session - which triggers the rule.

Example hex dump of a sample packet is attached


Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: hexdump.txt
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20050416/cbf232e7/attachment.txt>

More information about the Snort-sigs mailing list