[Snort-sigs] ftp.rules typo?

jaustin at ...47... jaustin at ...47...
Sun May 13 01:33:42 EDT 2001


http://whitehats.com/info/ids134

> From: Brian Cervenka <brian at ...46...>
> Date: Thu, 10 May 2001 13:34:48 -0700
> Subject: [Snort-sigs] ftp.rules typo?
> 
> Excuse me if I'm missing something simple; I am actually currently
> looking through the rules to see what snort can do, before I
> actually set it up on the network.
> 
> In the 'Current Rules' section of the www.snort.org, under ftp.rules,
> there's the rule:
> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP tar
> parameters";flags:
> A+; content:"RETR--use-compress-program"; reference:arachnids,134;
> reference:cve,CVE-1999-0202;)
> 
> This looks typoed to me: shouldnt that be RETR --use-compress-program 
?
>                                               ^
> At http://project.honeynet.org/papers/forensics/snort.txt they have the
> similar rule:
> alert TCP $EXTERNAL any -> $INTERNAL 21 (msg: "IDS134/FTP tar
> parameters";
> content: "RETR --use-compress-program"; flags: AP;)
> 

Free, encrypted, secure Web-based email at www.hushmail.com


More information about the Snort-sigs mailing list