[Snort-users] wrong payload entered into data table with 2.2.0 and mysql

Brancato, Mike mike.brancato at ...5841...
Tue Aug 31 06:50:32 EDT 2004

The other day I got a 'FTP EXPLOIT STAT *' event in my IDS from one of our
machines to a customer's FTP machine.  We FTP to that machine on port 21 all
day long, so I know that it is just a false positive.  I looked at the
decoded payload, and the traffic is HTTP traffic from our recruiting website
which is totally different from the machine snort reported this as.  It has
an HTTP GET request, passes the User-Agent and HTTP Referrer data as well,
so I know this is true HTTP traffic.

So the destination machine is a known FTP server we use daily on port 21,
but the data in the packet according to snort is HTTP traffic from our
recruiting website.  What is going on here?

If anyone wants me to send more data about this for debugging, just email me


Michael Brancato
Senior Network Engineer
Affiliated Computer Services, Inc.
Lexington Division, Business Process Solutions
2432 Fortune Drive, Suite 120
Lexington, KY 40509
p: 859.389.4012
c: 859.420.7773

"The first version of Linux was like a time machine. It went back to a
system worse than what [Linus] already had on his desk." 
						- Andy Tanenbaum, author of

More information about the Snort-users mailing list