[Snort-sigs] False positive: FTP passwd retrieval attempt - sid:356

James Riden j.riden at ...1766...
Thu Mar 10 17:52:15 EST 2005


Just FYI - can't think of a good fix right now. This is apt-get (or
possibly debmirror) fetching Debian package 'passwd'.

> Generated by BASE v1.0.2 (racquel) on Fri, 11 Mar 2005 14:43:23 +1300
>
> ------------------------------------------------------------------------------
> #(2 - 19462) [2005-02-25 09:27:23.227] [arachNIDS/213] [snort/356]  FTP passwd retrieval attempt
> IPv4: 130.123.a.b -> 130.123.x.y
>       hlen=5 TOS=0 dlen=104 ID=10852 flags=0 offset=0 TTL=64 chksum=13407
> TCP:  port=32885 -> dport: 21  flags=***AP*** seq=1565934957
>       ack=1743706278 off=8 res=0 win=33232 urp=0 chksum=18269
>       Options:
>        #1 - NOP len=0
>        #2 - NOP len=0
>        #3 - TS len=8 data=005B7D5F0A76D949
> Payload:  length = 52
>
> 000 : 52 45 54 52 20 70 6F 6F 6C 2F 6D 61 69 6E 2F 73   RETR pool/main/s
> 010 : 2F 73 68 61 64 6F 77 2F 70 61 73 73 77 64 5F 34   /shadow/passwd_4
> 020 : 2E 30 2E 33 2D 33 30 2E 39 5F 69 33 38 36 2E 64   .0.3-30.9_i386.d
> 030 : 65 62 0D 0A                                       eb..

-- 
James Riden / j.riden at ...1766... / Systems Security Engineer
Information Technology Services, Massey University, NZ.
GPG public key available at: http://www.massey.ac.nz/~jriden/






More information about the Snort-sigs mailing list