[Snort-sigs] False positive in 1777.6 (FTP EXPLOIT STAT * dos attempt)

nnposter nnposter at ...592...
Thu Dec 9 13:23:02 EST 2004

Rule: FTP EXPLOIT STAT * dos attempt

Sid: 1777

The rule has a false positive when an inspected packet consists of 
one or more FTP commands where one of them contains a "stat" string 
and then '*' is found anywhere later in the packet, such as:

LIST data/statistics/foo*

I am proposing to replace the '*' content clause in...

content:"STAT"; nocase; content:"*"; distance:1;

...with a regular expression to ensure that the whole pattern is
a single line, resembling a FTP command:

pcre:"/^\s*STAT[ \t]+[^\n]*?\*/mi";

The updated rule would then look as follows:

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 
(msg:"FTP EXPLOIT STAT * dos attempt"; flow:to_server,established; 
content:"STAT"; nocase; pcre:"/^\s*STAT[ \t]+[^\n]*?\*/mi";
reference:bugtraq,4482; reference:cve,2002-0073; 
reference:nessus,10934; classtype:attempted-dos; sid:1777; rev:7;)

More information about the Snort-sigs mailing list