[Snort-users] ftp false alerts, fractals, false backdoor alerts

Andrew Daviel andrew at ...523...
Thu Sep 28 15:38:27 EDT 2000


One of our users maintains a fractal database on a VMS machine at
ftp://spanky.triumf.ca/fractals/images/   (also via http)

I see a lot of alerts for this machine; I'm not quite certain
whether it's because of all the ftp traffic incrementing port numbers
across the trojan detectors, or whether it's because fractal images
eventually match short patterns.

I also see stuff like
[**] BACKDOOR ACTIVITY-Possible Mini Command 1.2 Access [**]
 09/26-16:08:44.472728 ppp04:1050 -> 209.185.160.26:80
 TCP TTL:126 TOS:0x0 ID:39424 DF
 **S***** Seq: 0x3FB09 Ack: 0x0 Win: 0x2000
 TCP Options => MSS: 536 NOP NOP SackOK 

which I guess is part of a normal HTTP download where the source port
happened to match the backdoor port

These all contribute to the general noise so I tend not to believe
any of them.
Is it reasonable to change these backdoor rules to say "not port 80"
How would one do that?
  alert tcp $HOME_NET 1050 -> !$HOME_NET !80  I guess ?
How about "not 80 or 21" ?


Andrew Daviel, TRIUMF




More information about the Snort-users mailing list