[Snort-sigs] Avoidance of 1992.5 (FTP LIST directory traversal attempt)

Brian bmc at ...95...
Tue Jul 6 08:01:02 EDT 2004


On Fri, Jul 02, 2004 at 06:00:00PM -0600, nnposter at ...592... wrote:
> I am proposing to add "nocase" to the command content clause:
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 
> (msg:"FTP LIST directory traversal attempt"; 
> flow:to_server,established; 
> content:"LIST"; nocase;
> content:".."; distance:1; content:".."; distance:1; 
> reference:bugtraq,2618; reference:cve,2001-0680; reference:nessus,11112; 
> classtype:protocol-command-decode; sid:1992; rev:6;)

yep.

-b




More information about the Snort-sigs mailing list