[Snort-sigs] rule possibly misfiring
Chris Green
cmg at ...435...
Tue Jan 28 07:59:04 EST 2003
"Kreimendahl, Chad J" <Chad.Kreimendahl at ...361...> writes:
> snort2 both of builds 28 and 49
>
I just tried with build 2.0 B49 and can't reproduce:
alert tcp any any -> any any \
(msg:"POLICY FTP 'STOR 1MB' possible warez site";\
flow:to_server,established; content:"STOR"; nocase; \
content:"1MB"; nocase; distance:1;)
01/28-09:55:50.427925 0:6:5B:DA:D5:74 -> 0:3:93:82:C9:B2 type:0x800 len:0x5D
10.1.1.72:33077 -> 10.1.1.52:80 TCP TTL:64 TOS:0x0 ID:54504 IpLen:20 DgmLen:79 DF
***AP*** Seq: 0x569A34F7 Ack: 0xF0D1C4A7 Win: 0x16D0 TcpLen: 32
TCP Options (3) => NOP NOP TS: 38204614 1525692256
53 54 4F 52 20 50 54 53 2E 55 53 45 52 2E 45 42 STOR PTS.USER.EB
31 32 35 2E 43 48 4B 5F 2B 31 0A 125.CHK_+1.
What does the packet alert off on really look like?
I know this was to port 80 but I did adjust the rule accordingly.
--
Chris Green <cmg at ...435...>
Don't use a big word where a diminutive one will suffice.
More information about the Snort-sigs
mailing list