[Snort-devel] snort ftp invalid mode

rmkml rmkml at ...1042...
Wed Nov 24 14:45:33 EST 2004


Hi,

Im use snort v220b30

on fbsd410r,

Im found this event :

rr/tt-12:26:57.731765  [**] [1:1623:6] FTP invalid MODE [**] 
[Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 
x.x.x.x:3788 -> y.y.y.y:21

and look pcap/txt dump :

  220 Serv-U FTP Server v5.2 for WinSock ready
  211-Extension supported

  CLNT\r\n MDTM\r\n MDTMYYYYMMDDHHMMSS[+-TZ];filename\r\n SIZE\r\n SITE
  PSWD;EXEC;SET;INDEX;ZONE;CHMOD;MSG\r\n REST STREAM\r\n
  XCRC filename;start;end\r\n MODE Z\r\n211 End

12:26:57.731765 x.x.x.x.3788 > y.y.y.y.21: P [tcp sum ok]
379573104:379573112(8) ack 3026965603 win 65187 (DF) (ttl 127, id 5979,
len 48)
E..0.[@....S>."....F.......p.k.cP...xN..MODE Z\r\n

  200 MODE Z ok.


Regards

Rmkml at ...2334...





More information about the Snort-devel mailing list