Getting False Positives for FTP sig 6250

gpoer · ‎12-03-2002

The connection to the server below is anonymous ftp that (as far as the user knows) is working fine. Yet we saw this sig hit 208 times yesterday.

My host.24.56 208 nimbus.ny.net

Signature Sub-Signature Hits Severity Signature Description

6250 0 208 2 FTP Authorization Failure

This is the hex data in the alarm_log

===

220 wxftp.ks.unisys.com FTP server (Version wu-2.6.2(1) Tue Mar 19 16:42:34 UTC 2002) ready.

530 Please login with USER and PASS.

530AUTH GSSAPI

AUTH KERBEROS_V4

SYST

===

220 wxftp.ks.unisys.com FTP server (Version wu-2.6.2(1) Tue Mar 19 16:42:34 UTC 2002) ready.

530 Please login with USER and PASS.

530AUTH GSSAPI

AUTH KERBEROS_V4

SYST

===

220 wxftp.ks.unisys.com FTP server (Version wu-2.6.2(1) Tue Mar 19 16:42:34 UTC 2002) ready.

530 Please login with USER and PASS.

530AUTH GSSAPI

AUTH KERBEROS_V4

SYST

I am not sure why this would cause this signature to flag.

any thoughts?

Geoff

mcerha · ‎12-04-2002

This is the line causing the problem.

"530 Please login with USER and PASS."

I don't know why the FTP server is sending a FTP "530" response code, but signature 6250 looks for three or more "530" matches between two hosts. I'd recommend creating a filter if this is a persistant problem.

gpoer · ‎12-04-2002

I don't know why the 530 code is coming either the user is stating that this connection is up and scripted to connect every 10 min. Which fits with the logs. It is not really causing me a problem... except in making my head hurt alittle :)

Thanks for th advice, I will filter this headache away!

Geoff