[Snort-sigs] Error in sid 1229
tyler at ...2280...
Thu Feb 26 12:56:03 EST 2004
# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others. References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD ...";
flow:to_server,established; content:"CWD"; nocase;
pcre:"/^CWD\s[^\n]*?.../smi"; reference:bugtraq,9237; classtype:bad-unknown;
Error in rule
Rule alerts whenever a CWD is done instead of a CWD ...
The pcre expression in the rule is incorrect. The 3 periods in the
expression match on any three characters. They should be escaped instead.
Ease of Attack:
The pcre option shoule be changed to pcre:"/^CWD\s[^\n]*?\.\.\./smi";
Tyler Hudak <tyler at ...2280...> - fix
Sourcefire Research Team
Brian Caswell <brian.caswell at ...435...>
Nigel Houghton <nigel.houghton at ...435...>
More information about the Snort-sigs