[Snort-devel] just something to note about ftpbounce keyword.

Will Metcalf william.metcalf at ...2499...
Thu Mar 18 08:58:35 EDT 2010


> Why not just use the ftp bounce detection in the ftp/telnet
> preprocessor?  The rule option was only added as a precursor
> to that, as development/test for a rule option is much simpler
> than that of a preprocessor.

I understand, hence the me failing to see a valid use case comment.
With that said this keyword is still used in an active VRT rule
(sid:3441), at least with the version I have. I'm really not trying to
pick on you guy's I'm just trying to share interesting behavior that
I'm finding, If this stuff isn't of any use to either list just tell
me know and I will stop passing along the info in this format.

Regards,

Will

On Thu, Mar 18, 2010 at 7:44 AM, Steven Sturges
<steve.sturges at ...402...> wrote:
> Why not just use the ftp bounce detection in the ftp/telnet
> preprocessor?  The rule option was only added as a precursor
> to that, as development/test for a rule option is much simpler
> than that of a preprocessor.
>
> Will Metcalf wrote:
>> Also looks like we can't match on anything after the PORT command...
>>
>> PORT 192,168,2,1,0,111
>>
>> #fails
>> alert tcp any any -> any any (msg:"ftpbounce depth content 192";
>> content:"192"; ftpbounce; classtype:bad-unknown; sid:27; rev:1;)
>>
>> #fails
>> alert tcp any any -> any any (msg:"ftpbounce depth content 111";
>> content:"111"; ftpbounce; classtype:bad-unknown; sid:28; rev:1;)
>>
>> #works
>> alert tcp any any -> any any (msg:"ftpbounce depth content PORT";
>> content:"PORT"; ftpbounce; classtype:bad-unknown; sid:29; rev:1;)
>>
>> Regards,
>>
>> Will
>>
>> On Wed, Mar 17, 2010 at 4:23 PM, Will Metcalf <william.metcalf at ...3054....> wrote:
>>> I can't really see a valid use case here as the ftpbounce keyword is
>>> used in all of like one rule but.....
>>>
>>> Regards,
>>>
>>> Will
>>>
>>> #test 128 ftpbounce byte_test + relative
>>> #fails
>>> #
>>> #file ftpbounceattack.pcap
>>> alert tcp any any -> any any (msg:"ftpbounce + byte_test + relative";
>>> content:"P"; byte_test:1,=,82,1,relative; ftpbounce;
>>> classtype:bad-unknown; sid:128; rev:1;)
>>>
>>> #test 129 byte_test + relative
>>> #works
>>> #
>>> #file ftpbounceattack.pcap
>>> alert tcp any any -> any any (msg:"ftpbounce + byte_test + relative";
>>> content:"P"; byte_test:1,=,82,1,relative;  classtype:bad-unknown;
>>> sid:129; rev:1;)
>>>
>>
>> ------------------------------------------------------------------------------
>> Download Intel® Parallel Studio Eval
>> Try the new software tools for yourself. Speed compiling, find bugs
>> proactively, and fine-tune applications for parallel performance.
>> See why Intel Parallel Studio got high marks during beta.
>> http://p.sf.net/sfu/intel-sw-dev
>> _______________________________________________
>> Snort-devel mailing list
>> Snort-devel at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>
>




More information about the Snort-devel mailing list