[Snort-sigs] Getright signatures, comments?

William Stearns wstearns at ...157...
Sun Apr 28 14:27:03 EDT 2002


Good day, all,
	Because of bandwidth abuse by a few download accelerator programs, 
we've decided that they violate our ftp policy.  I offer these rules as 
experimental candidates.  Sids left blank, of course.

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP Getright client 
access, getright@"; flags:A+; content: "getright@"; 
reference:url,www.getright.com; classtype:policy-violation; sid:ZZZZ; 
rev:0;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP Getright client 
access, yourname at ...563..."; flags:A+; content: 
"yourname at ...564..."; reference:url,www.getright.com; 
classtype:policy-violation; sid:ZZZZ; rev:0;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP Download Accelerator 
client access, m at ...565..."; flags:A+; content: "m at ...565..."; 
reference:url,www.landfield.com/wu-ftpd/mail-archive/wuftpd-dev/2000/Oct/0014.html; 
classtype:policy-violation; sid:ZZZZ; rev:0;)

	Comments, suggestions?
	Cheers,
	- Bill

---------------------------------------------------------------------------
        "cc:Mail is a wonderful application, as long as you don't want
to read or send mail."
(Courtesy of Nix <nix at ...566...>)
--------------------------------------------------------------------------
William Stearns (wstearns at ...157...).  Mason, Buildkernel, named2hosts, 
and ipfwadm2ipchains are at:                        http://www.stearns.org
--------------------------------------------------------------------------





More information about the Snort-sigs mailing list