[Snort-sigs] False positive - sid:1928

Paul Schmehl pauls at ...1311...
Fri Mar 18 14:31:25 EST 2005


/usr/local/share/snort/ftp.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 
21 (msg:"FTP shadow retrieval attempt"; flow:to_server,established; 
content:"RETR"; nocase; content:"shadow"; 
classtype:suspicious-filename-detect; sid:1928; rev:3;)

Payload:

length = 64

000 : 52 45 54 52 20 2F 68 6F 6D 65 2F 30 30 31 2F 6D   RETR /home/001/m
010 : 2F 6D 78 2F 6D 78 61 30 32 34 30 30 30 2F 70 75   /mx/mxa024000/pu
020 : 62 6C 69 63 5F 68 74 6D 6C 2F 69 6D 61 67 65 73   blic_html/images
030 : 2F 73 68 61 64 6F 77 54 6F 70 2E 67 69 66 0D 0A   /shadowTop.gif..
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Perhaps content:"/etc/shadow" or content:"etc/shadow" would be better?

Paul Schmehl (pauls at ...1311...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu




More information about the Snort-sigs mailing list