[Snort-sigs] SID 2417

Nigel Houghton nigel at ...435...
Fri Aug 20 09:54:01 EDT 2004


On  0, Paul Schmehl <pauls at ...1311...> allegedly wrote:
> Can someone explain exactly what this rule is supposed to detect?  I'm not 
> referring to the packet itself, but to the attack methodology.  I can see 
> that it looks for a string of characters with percent signs interspersed, 
> which is obviously encoding, and it certainly does that, but what exactly 
> is the nature of the attack that's it's detecting?

Well, the rule is looking for an attempt to send information to an FTP
server in printf format (%foo%foo%foo%foo), this may cause a DoS or could
give an opportunity to execute code.

something like "somethinghere<SPACE>%u%u%u%u" etc...

Windows FTP servers and WuFTP (and some others) have had issues with this.

Sorry the doc is a little vague, I'll update it to be more specific.

+-------------------------------------------------------------------------+
       Nigel Houghton       Research Engineer        Sourcefire Inc.
                       Vulnerability Research Team
                                                                         
  "Dude, dolphins are intelligent and friendly!" - Wendy
  "Intelligent and friendly on rye bread, with some mayonaise." - Cartman
+-------------------------------------------------------------------------+




More information about the Snort-sigs mailing list