Snort mailing list archives

Re: FTP passive data transfer FP's and flowbits

From: Martin Holste <mcholste () gmail com>
Date: Mon, 10 Jan 2011 19:54:51 -0600

I've never found the alerts generated by the FTP preproc to be helpful
for anything other than a heartbeat to prove Snort is up and sniffing
traffic.  I recently started to suppress all from that gen_id.  I'm
strongly considering doing the same for the SSL preproc.  The amount
of resources it takes to investigate each false positive is not worth
the off-chance that you will be the one to discover a
never-before-seen new FTP/telnet hack.

On Mon, Jan 10, 2011 at 1:19 PM, Kungu Panda <kungupanda () gmail com> wrote:

I am experiencing a large number of false-positive alerts generated from ftp
sessions; specifically ftp data sessions tripping alerts on binary
transfers.

Any recommendations on associating an ftp command channel with an ftp
passive data-channel which, of course, occur on ports from the command
channel?  Association for use with snort flowbits to identify ftp sessions
and eliminate FPs on troublesome rules. . .

Thanks,
K.Panda



------------------------------------------------------------------------------
Gaining the trust of online customers is vital for the success of any
company
that requires sensitive data to be transmitted over the Web.   Learn how to
best implement a security strategy that keeps consumers' information secure
and instills the confidence they need to proceed with transactions.
http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


------------------------------------------------------------------------------
Gaining the trust of online customers is vital for the success of any company
that requires sensitive data to be transmitted over the Web.   Learn how to 
best implement a security strategy that keeps consumers' information secure 
and instills the confidence they need to proceed with transactions.
http://p.sf.net/sfu/oracle-sfdevnl 
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

FTP passive data transfer FP's and flowbits Kungu Panda (Jan 10)
- Re: FTP passive data transfer FP's and flowbits Martin Holste (Jan 10)
  - Re: FTP passive data transfer FP's and flowbits Joel Esler (Jan 11)
    - Re: FTP passive data transfer FP's and flowbits Crusty Saint (Jan 11)
    - Re: FTP passive data transfer FP's and flowbits Crusty Saint (Jan 26)
    - Re: FTP passive data transfer FP's and flowbits Joel Esler (Jan 26)
    - Re: FTP passive data transfer FP's and flowbits Kungu Panda (Jan 11)
    - Re: FTP passive data transfer FP's and flowbits Jason Brvenik (Jan 11)
    - Re: FTP passive data transfer FP's and flowbits Kungu Panda (Jan 11)
    - Re: FTP passive data transfer FP's and flowbits Martin Holste (Jan 11)
    - Re: FTP passive data transfer FP's and flowbits Jefferson, Shawn (Jan 11)
    - Re: FTP passive data transfer FP's and flowbits Martin Holste (Jan 11)

(Thread continues...)