[Snort-sigs] Avoidance of 1672.10 (FTP CWD ~ attempt)

nnposter at ...592... nnposter at ...592...
Fri Jul 2 17:06:02 EDT 2004


Rule:  FTP CWD ~ attempt

--
Sid: 1672

--
Summary:

--
Impact:

--
Detailed Information:

--
Affected Systems:

--
Attack Scenarios:

--
Ease of Attack:

--
False Positives:

--
False Negatives:
Current version of the rule incorrectly assumes specific FTP
command capitalization. As a result, an attacker can easily get 
around the signature.

See http://www.faqs.org/rfcs/rfc959.html
--
Corrective Action:

--
Contributors:

-- 
Additional References:


I am proposing to add "nocase" to the command content clause:

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 
(msg:"FTP CWD ~ attempt"; flow:to_server,established; 
content:"CWD"; nocase;
pcre:"/^CWD\s+~/smi"; reference:bugtraq,2601; reference:bugtraq,9215; 
reference:cve,2001-0421; classtype:denial-of-service; sid:1672; rev:11;)




More information about the Snort-sigs mailing list