[Snort-sigs] Error in sid 1229

tyler tyler at ...2280...
Thu Feb 26 12:56:03 EST 2004


# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
#
# $Id$
#
#

Rule:  
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD ...";
flow:to_server,established; content:"CWD"; nocase;
pcre:"/^CWD\s[^\n]*?.../smi"; reference:bugtraq,9237; classtype:bad-unknown;
sid:1229; rev:6;)

--
Sid:
1229
--
Summary:
Error in rule

--
Impact:

Rule alerts whenever a CWD is done instead of a CWD ...

--
Detailed Information:

The pcre expression in the rule is incorrect.  The 3 periods in the
expression match on any three characters.  They should be escaped instead.

--
Affected Systems:

--
Attack Scenarios:

--
Ease of Attack:

--
False Positives:

--
False Negatives:

--
Corrective Action:
The pcre option shoule be changed to pcre:"/^CWD\s[^\n]*?\.\.\./smi";
--
Contributors:
Tyler Hudak <tyler at ...2280...> - fix

Original contributors:
Sourcefire Research Team
Brian Caswell <brian.caswell at ...435...>
Nigel Houghton <nigel.houghton at ...435...>

-- 
Additional References:




More information about the Snort-sigs mailing list