[Snort-sigs] first cut at wu-ftpd sigs

Mark Canter marcus at ...64...
Wed Nov 28 20:02:04 EST 2001


I shudder to think how many false alarms you get with these sigs.  But
given the simplicity of the vulnerability its kind of a must.  Does
snort have any options to check after the content match is made then
check and make sure corresponding ")" or "]" is not there?  I remember
looking through the docs on rulset building a while back and don't
recall seeing such an option; maybe a future enhancement for snort?
Dunno on this one...

Might also want to update it with the bugtraq ID of 3581.

-----Original Message-----
From: snort-sigs-admin at lists.sourceforge.net
[mailto:snort-sigs-admin at lists.sourceforge.net] On Behalf Of Brian
Sent: Wednesday, November 28, 2001 5:08 PM
To: Chris Green
Cc: snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] first cut at wu-ftpd sigs


According to Chris Green:
> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 \
>             (msg: "Possible Wu-Ftpd exploit - [ content"; \
>              reference: url, \
>
"archives.neohapsis.com/archives/vulnwatch/2001-q4/0059.html"; \
>              content: "[";)
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 \
>             (msg: "Possible Wu-Ftpd exploit - { content"; \
>              reference: url, \
>
"archives.neohapsis.com/archives/vulnwatch/2001-q4/0059.html"; \
>              content: "{";)

Thanks Chris.  For those of you not reading the CVS logs, I've modified
and 
commited these 2 sigs.  Below are the current revs.

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP wu-ftp file
completion attempt ["; flags:A+; content:"["; content:!"]";
reference:url,archives.neohapsis.com/archives/vulnwatch/2001-q4/0059.htm
l; sid:1377; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP wu-ftp file
completion attempt {"; flags:A+; content:"{"; content:!"}";
reference:url,archives.neohapsis.com/archives/vulnwatch/2001-q4/0059.htm
l; sid:1378; rev:1;)

-brian


_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs





More information about the Snort-sigs mailing list