[Snort-sigs] Question about rule semantic
bmc at ...95...
Mon Jun 23 08:06:25 EDT 2003
On Tue, Jun 17, 2003 at 11:11:30PM +0200, stephane wrote:
> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD overflow
> attempt"; flow:to_server,established; content:"CWD "; nocase;
> content:!"|0a|"; within:100; reference:cve,CAN-2000-1035;
> reference:cve,CAN-2000-1194; reference:cve,CAN-2002-0126;
> classtype:attempted-admin; sid:1919; rev:3;)
> It's purpose is to catch potential buffer overflows. I think the author
> thought this rule will work as follow:
> - match if there is "CWD " followed by 100 chars without a '0x0a'
> I think this is wrong, and will actually work like that:
> - match if there is "CWD " followed by anything different than '0x0a'
> within the next 100 bytes
It would be faster to define it like this:
match if there is a "CWD", followed by at least 100 bytes of data,
without a 0x0a within 100 bytes of CWD.
While this can be done via an abuse of byte_test, a better approach is
in the works.
More information about the Snort-sigs