[Snort-sigs] truncated msg string

Ian Macdonald secsnortsigs at ...644...
Fri Aug 9 07:50:02 EDT 2002


With 1.8

the signature

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP \"CWD /\" possible
warez site"; flags:A+; content:"CWD / "; nocase; depth: 6;
classtype:misc-activity; sid:545;  rev:3;)

Was logged in the signature database as just "FTP" rather than FTP \CWD

Not sure exactly what is wrong with the sig but thought I would mention it.

Ian





More information about the Snort-sigs mailing list