[Snort-users] Remote NIDS

Paul Schmehl pauls at ...6838...
Thu Dec 11 16:07:05 EST 2003


There appears to be some sort of script that is triggering the following 
alerts:

SID 1748 FTP command overflow attempt protocol-command-decode
SID 1377 FTP wu-ftp bad file completion attempt [
SID 1378 FTP wu-ftp bad file completion attempt {
SID 1530 FTP format string attempt
SID 1778 FTP EXPLOIT STAT ? dos attempt
SID 2178 FTP USER format string attempt

I'm seeing this combination of alerts being triggered from multiple IP 
addresses.  Each source address triggers all six of these alerts to one or 
more destination addresses.

1) Is anyone else seeing this?

2) Is there a way to write a rule that would trigger if all six of these 
alerts were triggered from one source address?

3) If anyone else has seen this, would you have a capture?  Perhaps there's 
something in the script that could be used to trigger an alert?

Paul Schmehl (pauls at ...6838...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu




More information about the Snort-users mailing list