[Snort-users] ftp false alerts, fractals, false backdoor alerts

Martin Roesch roesch at ...421...
Mon Oct 2 14:17:04 EDT 2000


Many (most?) of the backdoor alerts are extremely promiscuous in what they go
off for, I generally turn everything but the most specific ones off myself. 
It's very reasonable to modify them pretty much any way that makes them alert
less feequently. :)

    -Marty

Andrew Daviel wrote:
> 
> One of our users maintains a fractal database on a VMS machine at
> ftp://spanky.triumf.ca/fractals/images/   (also via http)
> 
> I see a lot of alerts for this machine; I'm not quite certain
> whether it's because of all the ftp traffic incrementing port numbers
> across the trojan detectors, or whether it's because fractal images
> eventually match short patterns.
> 
> I also see stuff like
> [**] BACKDOOR ACTIVITY-Possible Mini Command 1.2 Access [**]
>  09/26-16:08:44.472728 ppp04:1050 -> 209.185.160.26:80
>  TCP TTL:126 TOS:0x0 ID:39424 DF
>  **S***** Seq: 0x3FB09 Ack: 0x0 Win: 0x2000
>  TCP Options => MSS: 536 NOP NOP SackOK
> 
> which I guess is part of a normal HTTP download where the source port
> happened to match the backdoor port
> 
> These all contribute to the general noise so I tend not to believe
> any of them.
> Is it reasonable to change these backdoor rules to say "not port 80"
> How would one do that?
>   alert tcp $HOME_NET 1050 -> !$HOME_NET !80  I guess ?
> How about "not 80 or 21" ?
> 
> Andrew Daviel, TRIUMF
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

-- 
Martin Roesch
roesch at ...421...
http://www.snort.org



More information about the Snort-users mailing list