[Snort-devel] Bug in database output

Kreimendahl, Chad J Chad.Kreimendahl at ...1167...
Mon Jun 24 08:01:27 EDT 2002


I'll try to find where the problem is later today... 'til then... Here's the
issue:

alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"FTP \"CWD  \"
possible warez site"; flow:to_server,established; content:"CWD  "; nocase;
depth:5; classtype:misc-activity; sid:546; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"FTP \"MKD  \"
possible warez site"; flow:to_Server,established; content:"MKD  "; nocase;
depth:5; classtype:misc-activity; sid:547; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORT (msg:"FTP \"MKD . \"
possible warez site"; flow:to_server,established; content:"MKD ."; nocase;
depth:5; classtype:misc-activity; sid:548; rev:4;)


Using these above rules as an example... Any time that one of them triggers
(initially) it creates a sig in the signatures table that is simply "FTP "

The \"(.*) is then completely ignored on every rule with \"  .   Anyway, not
sure if this also happens on other output plugins... If I get time after
meetings today, I will try to figure it out.




More information about the Snort-devel mailing list