[unisog] Passive FTP Sessions within HTTP sessions

Andreas Östling andreaso at it.su.se
Thu Jul 17 07:40:50 GMT 2003


On Wed, 16 Jul 2003, Gary Flynn wrote:

> We have a signature in our Snort boxes to detect FTP sessions
> on non-standard ports. This signature has started tripping on
> web traffic and I don't think it was when I first installed it.
...
> Any enlightenment on why and how I would see what appears to be
> FTP sessions inside a HTTP or SMTP session would be greatly
> appreciated!

Probably a bug in Snort that makes it mix up different TCP sessions
(people have reported similar issues on the Snort lists).
You may want to grab the latest snapshot from CVS and see if it helps.

/Andreas



More information about the unisog mailing list