[Snort-sigs] False positive: FTP passwd retrieval attempt - sid:356

nnposter at ...592... nnposter at ...592...
Fri Mar 11 06:57:10 EST 2005


"James Riden" wrote:
> Just FYI - can't think of a good fix right now. This is apt-get (or
> possibly debmirror) fetching Debian package 'passwd'.
> 
> > Generated by BASE v1.0.2 (racquel) on Fri, 11 Mar 2005 14:43:23 +1300
> >
> > ------------------------------------------------------------------------------
> > #(2 - 19462) [2005-02-25 09:27:23.227] [arachNIDS/213] [snort/356]  FTP passwd retrieval attempt
> > IPv4: 130.123.a.b -> 130.123.x.y
> >       hlen=5 TOS=0 dlen=104 ID=10852 flags=0 offset=0 TTL=64 chksum=13407
> > TCP:  port=32885 -> dport: 21  flags=***AP*** seq=1565934957
> >       ack=1743706278 off=8 res=0 win=33232 urp=0 chksum=18269
> >       Options:
> >        #1 - NOP len=0
> >        #2 - NOP len=0
> >        #3 - TS len=8 data=005B7D5F0A76D949
> > Payload:  length = 52
> >
> > 000 : 52 45 54 52 20 70 6F 6F 6C 2F 6D 61 69 6E 2F 73   RETR pool/main/s
> > 010 : 2F 73 68 61 64 6F 77 2F 70 61 73 73 77 64 5F 34   /shadow/passwd_4
> > 020 : 2E 30 2E 33 2D 33 30 2E 39 5F 69 33 38 36 2E 64   .0.3-30.9_i386.d
> > 030 : 65 62 0D 0A                                       eb..


Converting to PCRE should take care of most false positives:

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 
(msg:"FTP passwd retrieval attempt"; flow:to_server,established; 
content:"passwd"; pcre:"/^\s*RETR\s+\S*\b(?-i)passwd\s/smi";
reference:arachnids,213; classtype:suspicious-filename-detect; 
sid:356; rev:6;)

Cheers,
nnposter




More information about the Snort-sigs mailing list