[Snort-users] pass rules for one alert

John Sage jsage at ...2022...
Mon Sep 2 16:20:45 EDT 2002


Addy:

On Mon, Sep 02, 2002 at 07:39:21AM -0400, Night-Stalker wrote:
> Hello everybody,
> 
> I have a simple question:
> I want to ignore exactly one rule, that triggers false positives
> from one host to another. To do so, I wrote an pass-rule like that:
> 
> pass tcp <source-ip> any -> <dest-ip> 21 (msg:"FTP command overflow
> attempt"; flags:A+; dsize:>100; reference:bugtraq,4638;
> classtype:protocol-command-decode; sid:1748; rev:3;)

This is looking at a packet payload size > 100; this is not specific
enough?

What *would* make it specific enough? See below...

> I don't want to ignore all FTP-Data between these hosts, only the
> FTP-Data that triggers this alert (thats means the pass-rule:
> pass tcp <source-ip> any -> <dest-ip> 21
> isn't precise enough. And ignores all FTP-Data.)
> 
> Is it possible to ignore exactly the FTP-Data between these Hosts,
> that triggers that alert. I want the other FTP-Data between these
> Hosts being scanned for other FTP-Exploits except the "FTP command
> overflow attempt".

In a word, yes, but if you want help from anyone on this list you'll
have to tell *us* what "..exactly the FTP-Data between these Hosts.."
is, because until we know, no one can help you...


- John
-- 
"In those days, you could not buy a $2000 200MHz Pentium server."

PGP key:     http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint: C493 9F26 05A9 6497 9800  4EF6 5FC8 F23D 35A4 F705




More information about the Snort-users mailing list