This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPS / Snort -> False positive

Hi there

I'm running 7.5.02 with the latest up2date.
I do have IPS enabled.

One of my servers in the internet is using the FTP Space behind the Astaro for backup. The FTP (Pro-FTPd) is running on a Thecus N5200Pro, I setup DNAT and PF Rules.
Basically everything is running fine, but IPS is logging the following for every package (the backup comes in in 5 MB Packages):

Message........: FTP MDTM overflow attempt

Details........: www.snort.org/.../sigs.cgi

Time...........: 2010:01:16-09:29:36

Packet dropped.: yes

Priority.......: 1 (high)

Classification.: Attempted Administrator Privilege Gain

IP protocol....: 6 (TCP)

Signature 2546 "should" be for "Serv-U FTP" Server only.

I'm using ftplicity / duplicity on my server. As the packet seems be get dropped, I doubt my backup is consistent.

Anyone seen something similar?

Thanks

Andre

This thread was automatically locked due to age.

0 BAlfson over 15 years ago

Hi, Andre, IPS in V7.5 is new, more powerful and catches more things. It's not unusual for an installation to include a dozen exceptions in the IPS configuration.

Google on: site:astaro.org IPS "7.5"

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel
0 BarryG over 15 years ago

Hi, you can manually disable that SID since you're not using Serv-U FTP; you can disable rules under the Advanced tab, using the SID #, 2546.

Barry
Cancel
Vote Up 0 Vote Down

Cancel