[Snort-sigs] False positive in 1777.6 (FTP EXPLOIT STAT * dos attempt)

nnposter nnposter at ...592...
Thu Dec 9 13:23:02 EST 2004


Rule: FTP EXPLOIT STAT * dos attempt

--
Sid: 1777

--
The rule has a false positive when an inspected packet consists of 
one or more FTP commands where one of them contains a "stat" string 
and then '*' is found anywhere later in the packet, such as:

LIST data/statistics/foo*


I am proposing to replace the '*' content clause in...

content:"STAT"; nocase; content:"*"; distance:1;

...with a regular expression to ensure that the whole pattern is
a single line, resembling a FTP command:

pcre:"/^\s*STAT[ \t]+[^\n]*?\*/mi";


The updated rule would then look as follows:

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 
(msg:"FTP EXPLOIT STAT * dos attempt"; flow:to_server,established; 
content:"STAT"; nocase; pcre:"/^\s*STAT[ \t]+[^\n]*?\*/mi";
reference:bugtraq,4482; reference:cve,2002-0073; 
reference:nessus,10934; classtype:attempted-dos; sid:1777; rev:7;)




More information about the Snort-sigs mailing list