[Snort-sigs] false positives with sid 1992

Russell Fulton r.fulton at ...575...
Sun Feb 9 15:51:03 EST 2003


This rule is generating lots of false +ves.  It assumes that there is only
one command per packet.  Is there a way to terminate the matching if it hits 
a CRLF ?

 alert tcp $EXTERNAL_NET any -> $HOME_NET 21 
(msg:"FTP LIST directory traversal attempt"; 
content:"LIST"; content:".."; distance:1; content:".."; distance:1; 
reference:cve,CVE-2001-0680; reference:bugtraq,2618; reference:nessus,11112; 
classtype:protocol-command-decode; sid:1992; rev:1;)

[**] FTP LIST directory traversal attempt [**]
02/09-22:00:23.025150 196.4.160.83:49380 -> 130.216.191.125:21
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:241
***AP*** Seq: 0x8124511B  Ack: 0x8A2311A1  Win: 0x16A0  TcpLen: 20
0x0000: 00 E0 1E 8E 31 71 00 00 0C 46 5C D1 08 00 45 10  ....1q...F\...E.
0x0010: 00 F1 00 00 00 00 F0 06 00 00 C4 04 A0 53 82 D8  .............S..
0x0020: BF 7D C0 E4 00 15 81 24 51 1B 8A 23 11 A1 50 18  .}.....$Q..#..P.
0x0030: 16 A0 00 00 00 00 4D 44 54 4D 20 66 6F 6F 0D 0A  ......MDTM foo..
0x0040: 43 57 44 20 2F 70 75 62 2F 69 61 77 67 2F 4E 65  CWD /pub/iawg/Ne
0x0050: 54 72 61 4D 65 74 0D 0A 65 64 2D 53 69 6E 63 65  TraMet..ed-Since
0x0060: 50 41 53 56 0D 0A 4C 49 53 54 20 2D 6C 74 72 61  PASV..LIST -ltra
0x0070: 0D 0A 43 57 44 20 62 65 74 61 2D 76 65 72 73 69  ..CWD beta-versi
0x0080: 6F 6E 73 0D 0A 54 59 50 45 20 41 0D 0A 50 41 53  ons..TYPE A..PAS
0x0090: 56 0D 0A 4C 49 53 54 20 2D 6C 74 72 61 0D 0A 4D  V..LIST -ltra..M
0x00A0: 44 54 4D 20 4E 65 54 72 61 4D 65 74 34 35 62 38  DTM NeTraMet45b8
0x00B0: 2E 74 61 72 2E 67 7A 0D 0A 43 57 44 20 2E 2E 0D  .tar.gz..CWD ...
0x00C0: 0A 43 57 44 20 2E 2E 0D 0A 43 57 44 20 2F 70 75  .CWD ....CWD /pu
0x00D0: 62 2F 69 61 77 67 2F 4E 65 54 72 61 4D 65 74 0D  b/iawg/NeTraMet.
0x00E0: 0A 54 59 50 45 20 41 0D 0A 50 41 53 56 0D 0A 4C  .TYPE A..PASV..L
0x00F0: 49 53 54 20 2D 6C 52 61 0D 0A 54 59 50 45 20     IST -lRa..TYPE 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


-- 
Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand

"It aint necessarily so"  - Gershwin

-- 
Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand

"It aint necessarily so"  - Gershwin





More information about the Snort-sigs mailing list