[Snort-devel] just something to note about ftpbounce keyword.

Steven Sturges steve.sturges at ...402...
Thu Mar 18 08:44:56 EDT 2010


Why not just use the ftp bounce detection in the ftp/telnet
preprocessor?  The rule option was only added as a precursor
to that, as development/test for a rule option is much simpler
than that of a preprocessor.

Will Metcalf wrote:
> Also looks like we can't match on anything after the PORT command...
> 
> PORT 192,168,2,1,0,111
> 
> #fails
> alert tcp any any -> any any (msg:"ftpbounce depth content 192";
> content:"192"; ftpbounce; classtype:bad-unknown; sid:27; rev:1;)
> 
> #fails
> alert tcp any any -> any any (msg:"ftpbounce depth content 111";
> content:"111"; ftpbounce; classtype:bad-unknown; sid:28; rev:1;)
> 
> #works
> alert tcp any any -> any any (msg:"ftpbounce depth content PORT";
> content:"PORT"; ftpbounce; classtype:bad-unknown; sid:29; rev:1;)
> 
> Regards,
> 
> Will
> 
> On Wed, Mar 17, 2010 at 4:23 PM, Will Metcalf <william.metcalf at ...2499...> wrote:
>> I can't really see a valid use case here as the ftpbounce keyword is
>> used in all of like one rule but.....
>>
>> Regards,
>>
>> Will
>>
>> #test 128 ftpbounce byte_test + relative
>> #fails
>> #
>> #file ftpbounceattack.pcap
>> alert tcp any any -> any any (msg:"ftpbounce + byte_test + relative";
>> content:"P"; byte_test:1,=,82,1,relative; ftpbounce;
>> classtype:bad-unknown; sid:128; rev:1;)
>>
>> #test 129 byte_test + relative
>> #works
>> #
>> #file ftpbounceattack.pcap
>> alert tcp any any -> any any (msg:"ftpbounce + byte_test + relative";
>> content:"P"; byte_test:1,=,82,1,relative;  classtype:bad-unknown;
>> sid:129; rev:1;)
>>
> 
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> 




More information about the Snort-devel mailing list