[Snort-users] False positives???

Latha K latha_lkris at ...131...
Wed Sep 4 15:14:27 EDT 2002

I was playing with Snort 1.8.7 and noticed this. There is a particular attack in ftp.rules file "msg:FTP \RETR 1MB\". I believe it indicates an attack should be raised if someone tries to open a FTP session and retrive the file "1 MB".

I issued an FTP "Get" command to retrive the "1 MB" file. This file does not exist in my directory and it returns an message "550 1MB: No such file or directory." indicating the "GET" is not successfull. 

But the alert is logged in the snort log even though the attempt is not sucessfull. Is it not possible to co-relate the Response of the FTP command and raise alert only it it was successfull???

I think there are quite a few of attacks like this for which you can know my seeing the response if attack is sucessfull and then raise alerts?

Any comments







Do You Yahoo!?
Yahoo! Finance - Get real-time stock quotes
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20020904/6de718e0/attachment.html>

More information about the Snort-users mailing list