[Snort-sigs] Avoidance of 1992.5 (FTP LIST directory traversal attempt)

nnposter at ...592... nnposter at ...592...
Fri Jul 2 17:06:23 EDT 2004


Rule:  FTP LIST directory traversal attempt

--
Sid: 1992

--
Summary:

--
Impact:

--
Detailed Information:

--
Affected Systems:

--
Attack Scenarios:

--
Ease of Attack:

--
False Positives:

--
False Negatives:
Current version of the rule incorrectly assumes specific FTP
command capitalization. As a result, an attacker can easily get 
around the signature.

See http://www.faqs.org/rfcs/rfc959.html
--
Corrective Action:

--
Contributors:

-- 
Additional References:


I am proposing to add "nocase" to the command content clause:

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 
(msg:"FTP LIST directory traversal attempt"; 
flow:to_server,established; 
content:"LIST"; nocase;
content:".."; distance:1; content:".."; distance:1; 
reference:bugtraq,2618; reference:cve,2001-0680; reference:nessus,11112; 
classtype:protocol-command-decode; sid:1992; rev:6;)




More information about the Snort-sigs mailing list