Re: FTP passive data transfer FP's and flowbits

[Joel Esler <jesler () sourcefire com>]

Okay, so let me ask you guys.  What can we do (Snort) to make it better?

Joel

On Mon, Jan 10, 2011 at 8:54 PM, Martin Holste <mcholste () gmail com> wrote:

> I've never found the alerts generated by the FTP preproc to be helpful
> for anything other than a heartbeat to prove Snort is up and sniffing
> traffic.  I recently started to suppress all from that gen_id.  I'm
> strongly considering doing the same for the SSL preproc.  The amount
> of resources it takes to investigate each false positive is not worth
> the off-chance that you will be the one to discover a
> never-before-seen new FTP/telnet hack.
>
> On Mon, Jan 10, 2011 at 1:19 PM, Kungu Panda <kungupanda () gmail com> wrote:
> > I am experiencing a large number of false-positive alerts generated from
> ftp
> > sessions; specifically ftp data sessions tripping alerts on binary
> > transfers.
> >
> > Any recommendations on associating an ftp command channel with an ftp
> > passive data-channel which, of course, occur on ports from the command
> > channel?  Association for use with snort flowbits to identify ftp
> sessions
> > and eliminate FPs on troublesome rules. . .
> >
> > Thanks,
> > K.Panda
> ------------------------------------------------------------------------------
> > Gaining the trust of online customers is vital for the success of any
> > company
> > that requires sensitive data to be transmitted over the Web.   Learn how
> to
> > best implement a security strategy that keeps consumers' information
> secure
> > and instills the confidence they need to proceed with transactions.
> > http://p.sf.net/sfu/oracle-sfdevnl
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
> ------------------------------------------------------------------------------
> Gaining the trust of online customers is vital for the success of any
> company
> that requires sensitive data to be transmitted over the Web.   Learn how to
> best implement a security strategy that keeps consumers' information secure
> and instills the confidence they need to proceed with transactions.
> http://p.sf.net/sfu/oracle-sfdevnl
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users



-- 
Joel Esler
Skype:eslerjoel
http://blog.snort.org

------------------------------------------------------------------------------
Gaining the trust of online customers is vital for the success of any company
that requires sensitive data to be transmitted over the Web.   Learn how to 
best implement a security strategy that keeps consumers' information secure 
and instills the confidence they need to proceed with transactions.
http://p.sf.net/sfu/oracle-sfdevnl

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users