[Snort-sigs] isssue with sid 1621, FTP CMD overflow attempt

Milani Paolo Paolo.Milani at ...1843...
Tue Feb 3 14:41:12 EST 2004


Hello,

I must be missing something, this signature looks for CMD command (+overflow) in ftp.. but there is no such command in the ftp protocol, at least according to rfc959... am I looking at the wrong rfc?

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CMD overflow attempt"; flow:to_server,established; content:"CMD"; nocase; isdataat:100,relative; pcre:"/^CMD\s[^\n]{100}/smi"; classtype:attempted-admin; sid:1621; rev:10;)

thanks,
Paolo Milani


====================================================================
CONFIDENTIALITY NOTICE
This message and its attachments are addressed solely to the persons
above and may contain confidential information. If you have received
the message in error, be informed that any use of the content hereof
is prohibited. Please return it immediately to the sender and delete
the message. Should you have any questions, please contact us by
replying to MailAdmin at ...1844... Thank you
====================================================================




More information about the Snort-sigs mailing list