[Snort-sigs] ftp.rules typo?

Brian Cervenka brian at ...46...
Thu May 10 16:34:48 EDT 2001


Excuse me if I'm missing something simple; I am actually currently looking
through the rules to see what snort can do, before I actually set it up on
the network.

In the 'Current Rules' section of the www.snort.org, under ftp.rules,
there's the rule:
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP tar parameters";flags:
A+; content:"RETR--use-compress-program"; reference:arachnids,134;
reference:cve,CVE-1999-0202;)

This looks typoed to me: shouldnt that be RETR --use-compress-program ?
                                              ^

At http://project.honeynet.org/papers/forensics/snort.txt they have the
similar rule:
alert TCP $EXTERNAL any -> $INTERNAL 21 (msg: "IDS134/FTP tar parameters";
content: "RETR --use-compress-program"; flags: AP;)




More information about the Snort-sigs mailing list