[Snort-sigs] error in rules 1377 & 1378 ?

stephane grundsch at ...592...
Tue Jul 1 12:45:03 EDT 2003


I think I've found an error in two rules, or did I miss something? Can 
somebody cross-check my finding?

Here's the detail:

Found an error in rules 1377 and 1378 (rev 10).  "distance" is used 
instead of "within":

ftp.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP wu-ftp 
bad file completion attempt {"; flow:to_server,established; 
content:"~"; content:"{"; distance:1; reference:cve,CVE-2001-0550; 
reference:cve,CAN-2001-0886; reference:bugtraq,3581; 
classtype:misc-attack; sid:1378; rev:10;)

Based on the references given, I think they tried to catch 'ls ~{' but 
it actually matches antyhing with '~' followed somewhere in the packet 
by '{'
(distance means that there must be at least that much bytes between the 
two contents)
(actually, it would be easier to check for '~{' directly... )


More information about the Snort-sigs mailing list