[Snort-devel] just something to note about ftpbounce keyword.

Will Metcalf william.metcalf at ...2499...
Wed Mar 17 17:23:21 EDT 2010


I can't really see a valid use case here as the ftpbounce keyword is
used in all of like one rule but.....

Regards,

Will

#test 128 ftpbounce byte_test + relative
#fails
#
#file ftpbounceattack.pcap
alert tcp any any -> any any (msg:"ftpbounce + byte_test + relative";
content:"P"; byte_test:1,=,82,1,relative; ftpbounce;
classtype:bad-unknown; sid:128; rev:1;)

#test 129 byte_test + relative
#works
#
#file ftpbounceattack.pcap
alert tcp any any -> any any (msg:"ftpbounce + byte_test + relative";
content:"P"; byte_test:1,=,82,1,relative;  classtype:bad-unknown;
sid:129; rev:1;)




More information about the Snort-devel mailing list