[Snort-users] pass rules for one alert

Night-Stalker TheEagleSociety at ...2792...
Tue Sep 3 00:16:09 EDT 2002

Hello John,

the Payload, that snort logs looks like this:

  length = 131
  LIST..PASV..CDW //directory1/directory2..LIST..PASV..
  CWD //directory3/directory4..LIST..PASV..

As I can see, it must be hourly cron-job from host1 to host2 via FTP. Every hour, I get 5 false positives of this alert. Only between these hosts. My pass-rule, I wrote below doesn't work, or it works but also triggers the alert-rule. As I wrote, I only want to ignore this false positive between these hosts and I dont't want to comment out the complete alert-rule to ignore all these alerts. I also don't want to write a pass-rule to ignore the complete FTP-Transfers between these hosts.
Can anybody help me out?



John Sage <jsage at ...2022...> wrote:
>>**-- snip --**
>> pass tcp <source-ip> any -> <dest-ip> 21 (msg:"FTP command overflow
>> attempt"; flags:A+; dsize:>100; reference:bugtraq,4638;
>> classtype:protocol-command-decode; sid:1748; rev:3;)
>This is looking at a packet payload size > 100; this is not specific
>What *would* make it specific enough? See below...
>> I don't want to ignore all FTP-Data between these hosts, only the
>> FTP-Data that triggers this alert (thats means the pass-rule:
>> pass tcp <source-ip> any -> <dest-ip> 21
>> isn't precise enough. And ignores all FTP-Data.)
>> Is it possible to ignore exactly the FTP-Data between these Hosts,
>> that triggers that alert. I want the other FTP-Data between these
>> Hosts being scanned for other FTP-Exploits except the "FTP command
>> overflow attempt".
>In a word, yes, but if you want help from anyone on this list you'll
>have to tell *us* what "..exactly the FTP-Data between these Hosts.."
>is, because until we know, no one can help you...
>- John
>"In those days, you could not buy a $2000 200MHz Pentium server."

The NEW Netscape 7.0 browser is now available. Upgrade now! http://channels.netscape.com/ns/browsers/download.jsp 

Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/

More information about the Snort-users mailing list