[Snort-sigs] False positive in 1992.8 (FTP LIST directory traversal attempt)

nnposter nnposter at ...592...
Thu Dec 2 20:33:11 EST 2004

Rule: FTP LIST directory traversal attempt

Sid: 1992

The rule has a false positive when an inspected packet consists 
of multiple FTP commands where each command contains an instance 
of dot-dot, such as "LIST ..\nCWD ..\n".

I am proposing to replace the original set of content clauses...

content:"LIST"; nocase; content:".."; distance:1; content:".."; distance:1; 

...with a regular expression to ensure that the whole pattern is
a single line


The updated rule would then look as follows:

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 
(msg:"FTP LIST directory traversal attempt"; flow:to_server,established; 
content:"LIST"; nocase; pcre:"/LIST\b[^\n]*?\.\.[^\n]*?\.\./mi"
reference:bugtraq,2618; reference:cve,2001-0680; reference:cve,2002-1054; 
reference:nessus,11112; classtype:protocol-command-decode; 
sid:1992; rev:9;) 

More information about the Snort-sigs mailing list