[Snort-sigs] isssue with sid 1621, FTP CMD overflow attempt
mkettler at ...189...
Tue Feb 3 15:40:14 EST 2004
At 12:28 PM 2/3/2004, Milani Paolo wrote:
>I must be missing something, this signature looks for CMD command
>(+overflow) in ftp.. but there is no such command in the ftp protocol, at
>least according to rfc959... am I looking at the wrong rfc?
>alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CMD overflow
>attempt"; flow:to_server,established; content:"CMD"; nocase;
>classtype:attempted-admin; sid:1621; rev:10;)
Well, just because it's not in RFC959 doesn't mean there's not a FTPD that
supports such a command.
It appears that in this case CMD is a FTP extension to allow execution of
files from an FTP session.
More information about the Snort-sigs