[Snort-users] ftp false alerts, fractals, false backdoor alerts
andrew at ...523...
Thu Sep 28 15:38:27 EDT 2000
One of our users maintains a fractal database on a VMS machine at
ftp://spanky.triumf.ca/fractals/images/ (also via http)
I see a lot of alerts for this machine; I'm not quite certain
whether it's because of all the ftp traffic incrementing port numbers
across the trojan detectors, or whether it's because fractal images
eventually match short patterns.
I also see stuff like
[**] BACKDOOR ACTIVITY-Possible Mini Command 1.2 Access [**]
09/26-16:08:44.472728 ppp04:1050 -> 184.108.40.206:80
TCP TTL:126 TOS:0x0 ID:39424 DF
**S***** Seq: 0x3FB09 Ack: 0x0 Win: 0x2000
TCP Options => MSS: 536 NOP NOP SackOK
which I guess is part of a normal HTTP download where the source port
happened to match the backdoor port
These all contribute to the general noise so I tend not to believe
any of them.
Is it reasonable to change these backdoor rules to say "not port 80"
How would one do that?
alert tcp $HOME_NET 1050 -> !$HOME_NET !80 I guess ?
How about "not 80 or 21" ?
Andrew Daviel, TRIUMF
More information about the Snort-users