[Snort-sigs] isssue with sid 1621, FTP CMD overflow attempt

Matt Kettler mkettler at ...189...
Tue Feb 3 15:40:14 EST 2004


At 12:28 PM 2/3/2004, Milani Paolo wrote:
>I must be missing something, this signature looks for CMD command 
>(+overflow) in ftp.. but there is no such command in the ftp protocol, at 
>least according to rfc959... am I looking at the wrong rfc?
>
>alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CMD overflow 
>attempt"; flow:to_server,established; content:"CMD"; nocase; 
>isdataat:100,relative; pcre:"/^CMD\s[^\n]{100}/smi"; 
>classtype:attempted-admin; sid:1621; rev:10;)

Well, just because it's not in RFC959 doesn't mean there's not a FTPD that 
supports such a command.

example:
http://packetstormsecurity.nl/advisories/dna/dna-1999-002.htm

It appears that in this case CMD is a FTP extension to allow execution of 
files from an FTP session.





More information about the Snort-sigs mailing list