[Snort-sigs] Question about rule semantic

Brian bmc at ...95...
Mon Jun 23 08:06:25 EDT 2003


On Tue, Jun 17, 2003 at 11:11:30PM +0200, stephane wrote:
> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD overflow 
> attempt"; flow:to_server,established; content:"CWD "; nocase; 
> content:!"|0a|"; within:100; reference:cve,CAN-2000-1035; 
> reference:cve,CAN-2000-1194; reference:cve,CAN-2002-0126; 
> classtype:attempted-admin; sid:1919; rev:3;)
> 
> It's purpose is to catch potential buffer overflows. I think the author 
> thought this rule will work as follow:
> - match if there is "CWD " followed by 100 chars without a '0x0a' 
> (linefeed).
> 
> I think this is wrong, and will actually work like that:
> - match if there is "CWD " followed by anything different than '0x0a' 
> within the next 100 bytes

It would be faster to define it like this:

match if there is a "CWD", followed by at least 100 bytes of data, 
without a 0x0a within 100 bytes of CWD.

While this can be done via an abuse of byte_test, a better approach is
in the works.

-brian




More information about the Snort-sigs mailing list