[Snort-devel] just something to note about ftpbounce keyword.

Will Metcalf william.metcalf at ...2499...
Wed Mar 17 18:00:54 EDT 2010


Also looks like we can't match on anything after the PORT command...

PORT 192,168,2,1,0,111

#fails
alert tcp any any -> any any (msg:"ftpbounce depth content 192";
content:"192"; ftpbounce; classtype:bad-unknown; sid:27; rev:1;)

#fails
alert tcp any any -> any any (msg:"ftpbounce depth content 111";
content:"111"; ftpbounce; classtype:bad-unknown; sid:28; rev:1;)

#works
alert tcp any any -> any any (msg:"ftpbounce depth content PORT";
content:"PORT"; ftpbounce; classtype:bad-unknown; sid:29; rev:1;)

Regards,

Will

On Wed, Mar 17, 2010 at 4:23 PM, Will Metcalf <william.metcalf at ...2499...> wrote:
> I can't really see a valid use case here as the ftpbounce keyword is
> used in all of like one rule but.....
>
> Regards,
>
> Will
>
> #test 128 ftpbounce byte_test + relative
> #fails
> #
> #file ftpbounceattack.pcap
> alert tcp any any -> any any (msg:"ftpbounce + byte_test + relative";
> content:"P"; byte_test:1,=,82,1,relative; ftpbounce;
> classtype:bad-unknown; sid:128; rev:1;)
>
> #test 129 byte_test + relative
> #works
> #
> #file ftpbounceattack.pcap
> alert tcp any any -> any any (msg:"ftpbounce + byte_test + relative";
> content:"P"; byte_test:1,=,82,1,relative;  classtype:bad-unknown;
> sid:129; rev:1;)
>




More information about the Snort-devel mailing list