[Snort-sigs] SID 2417

Paul Schmehl pauls at ...1311...
Fri Aug 20 09:34:05 EDT 2004


Can someone explain exactly what this rule is supposed to detect?  I'm not 
referring to the packet itself, but to the attack methodology.  I can see 
that it looks for a string of characters with percent signs interspersed, 
which is obviously encoding, and it certainly does that, but what exactly 
is the nature of the attack that's it's detecting?

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP format string 
attempt"; flow:to_server,established; content:"%"; pcre:"/\s+.*?%.*?%/smi"; 
classtype:string-detect; sid:2417; rev:1;)

Here's one packet:

50 41 53 56 0D 0A 52 45 54 52 20 2F 68 6F 6D 65   PASV..RETR /home
2F 30 30 31 2F 6C 2F 6C 78 2F 6C 78 6F 30 31 35   /001/l/lx/lxo015
30 30 30 2F 70 75 62 6C 69 63 5F 68 74 6D 6C 2F   000/public_html/
50 68 6F 74 6F 2F 4D 75 6E 6B 61 68 65 6C 79 2F   Photo/Munkahely/
65 62 65 64 5F 73 7A 75 6E 65 74 5F 6B 2E 6A 70   ebed_szunet_k.jp
67 0D 0A 33 61 25 32 66 25 32 66 62 61 79 39 25   g..3a%2f%2fbay9%
32 65 6F 65 25 32 65 68 6F 74 6D 61 69 6C 25 32   2eoe%2ehotmail%2
65 63 6F 6D 25 32 66 63 67 69 25 32 64 62 69 6E   ecom%2fcgi%2dbin
25 32 66 68 6D 64 61 74 61 25 32 66 64 61 6F 6F   %2fhmdata%2fdaoo
64 25 34 30 68 6F 74 6D 61 69 6C 25 32 65 63 6F   d%40hotmail%2eco
6D 25 33 66 26 6C                                 m%3f&l

Paul Schmehl (pauls at ...1311...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/




More information about the Snort-sigs mailing list