[Snort-sigs] How to NOT match on packets or streams

Brian bmc at ...95...
Mon Feb 2 07:02:04 EST 2004


On Mon, Feb 02, 2004 at 02:18:10PM +0100, Martin Olsson wrote:
> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP USER format string
> attempt"; flow:to_server,established; content:"USER"; nocase; content:"%";
> distance:1; within:10; reference:bugtraq,7474; classtype:misc-attack;
> sid:2178; rev:1;)
> 
> This rule was built to catch a username with a '%'. The author assume
> that this string is seen in a single packet, not in a stream.
> 
> False positives occurr when stream4 give you a virtual packet
> (über-packet) with both the USER login and some other data that accidently
> contain a '%'.
> 
> One captured packet contain "USER foo".
> The next one contain "PASS %bar".
> The generated über-packet contain: "USER foo<return>PASS %bar<return>".

While you can use flow "no_stream" option to do what you want, how
about we fix the rule, instead of using the flow option as a kludge.

Please try the following rule and let me know if it is better for you.

    alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP USER format string attempt"; flow:to_server,established; content:"USER"; nocase; pcre:"/^USER\s[^\n]*?%[^\n]*?%/smi"; reference:bugtraq,7474; reference:bugtraq,9262; reference:bugtraq,7776; classtype:misc-attack; sid:2178; rev:4;)

Brian




More information about the Snort-sigs mailing list