[Snort-devel] just something to note about ftpbounce keyword.

Nigel Houghton nhoughton at ...402...
Thu Mar 18 09:06:13 EDT 2010


On Thu, Mar 18, 2010 at 8:58 AM, Will Metcalf <william.metcalf at ...2499...> wrote:
>> Why not just use the ftp bounce detection in the ftp/telnet
>> preprocessor?  The rule option was only added as a precursor
>> to that, as development/test for a rule option is much simpler
>> than that of a preprocessor.
>
> I understand, hence the me failing to see a valid use case comment.
> With that said this keyword is still used in an active VRT rule
> (sid:3441), at least with the version I have. I'm really not trying to
> pick on you guy's I'm just trying to share interesting behavior that
> I'm finding, If this stuff isn't of any use to either list just tell
> me know and I will stop passing along the info in this format.
>
> Regards,
>
> Will
>
> On Thu, Mar 18, 2010 at 7:44 AM, Steven Sturges
> <steve.sturges at ...402...> wrote:
>> Why not just use the ftp bounce detection in the ftp/telnet
>> preprocessor?  The rule option was only added as a precursor
>> to that, as development/test for a rule option is much simpler
>> than that of a preprocessor.
>>
>> Will Metcalf wrote:
>>> Also looks like we can't match on anything after the PORT command...
>>>
>>> PORT 192,168,2,1,0,111
>>>
>>> #fails
>>> alert tcp any any -> any any (msg:"ftpbounce depth content 192";
>>> content:"192"; ftpbounce; classtype:bad-unknown; sid:27; rev:1;)
>>>
>>> #fails
>>> alert tcp any any -> any any (msg:"ftpbounce depth content 111";
>>> content:"111"; ftpbounce; classtype:bad-unknown; sid:28; rev:1;)
>>>
>>> #works
>>> alert tcp any any -> any any (msg:"ftpbounce depth content PORT";
>>> content:"PORT"; ftpbounce; classtype:bad-unknown; sid:29; rev:1;)
>>>
>>> Regards,
>>>
>>> Will
>>>
>>> On Wed, Mar 17, 2010 at 4:23 PM, Will Metcalf <william.metcalf at ...3035.....> wrote:
>>>> I can't really see a valid use case here as the ftpbounce keyword is
>>>> used in all of like one rule but.....
>>>>
>>>> Regards,
>>>>
>>>> Will
>>>>
>>>> #test 128 ftpbounce byte_test + relative
>>>> #fails
>>>> #
>>>> #file ftpbounceattack.pcap
>>>> alert tcp any any -> any any (msg:"ftpbounce + byte_test + relative";
>>>> content:"P"; byte_test:1,=,82,1,relative; ftpbounce;
>>>> classtype:bad-unknown; sid:128; rev:1;)
>>>>
>>>> #test 129 byte_test + relative
>>>> #works
>>>> #
>>>> #file ftpbounceattack.pcap
>>>> alert tcp any any -> any any (msg:"ftpbounce + byte_test + relative";
>>>> content:"P"; byte_test:1,=,82,1,relative;  classtype:bad-unknown;
>>>> sid:129; rev:1;)
>>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Download Intel® Parallel Studio Eval
>>> Try the new software tools for yourself. Speed compiling, find bugs
>>> proactively, and fine-tune applications for parallel performance.
>>> See why Intel Parallel Studio got high marks during beta.
>>> http://p.sf.net/sfu/intel-sw-dev
>>> _______________________________________________
>>> Snort-devel mailing list
>>> Snort-devel at lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>>
>>
>
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>


Keep it coming, it's interesting stuff. Issues like this one should be
clearly written down in the manual.

-- 
Nigel Houghton
Head Mentalist
SF VRT
http://vrt-sourcefire.blogspot.com && http://labs.snort.org/




More information about the Snort-devel mailing list