[Snort-sigs] first cut at wu-ftpd sigs

Brian bmc at ...95...
Wed Nov 28 14:05:10 EST 2001


According to Chris Green:
> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 \
>             (msg: "Possible Wu-Ftpd exploit - [ content"; \
>              reference: url, \
>              "archives.neohapsis.com/archives/vulnwatch/2001-q4/0059.html"; \
>              content: "[";)
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 \
>             (msg: "Possible Wu-Ftpd exploit - { content"; \
>              reference: url, \
>              "archives.neohapsis.com/archives/vulnwatch/2001-q4/0059.html"; \
>              content: "{";)

Thanks Chris.  For those of you not reading the CVS logs, I've modified and 
commited these 2 sigs.  Below are the current revs.

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP wu-ftp file completion attempt ["; flags:A+; content:"["; content:!"]"; reference:url,archives.neohapsis.com/archives/vulnwatch/2001-q4/0059.html; sid:1377; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP wu-ftp file completion attempt {"; flags:A+; content:"{"; content:!"}"; reference:url,archives.neohapsis.com/archives/vulnwatch/2001-q4/0059.html; sid:1378; rev:1;)

-brian





More information about the Snort-sigs mailing list