[Snort-sigs] Rules to detect recent Serv-u vulnerabilities

Brian bmc at ...95...
Tue Jun 15 06:20:04 EDT 2004


On Fri, May 07, 2004 at 10:15:07AM +0200, Javier Fernandez-Sanguino wrote:
> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP serv-u CHMOD
> buffer overflow"; flow:to_server,established; content: "SITE CHMOD";
> nocase;  content:!"|0a|"; within:50; reference:bugtraq,9675;
> reference: nessus, 12037; classtype:bad-unknown;)


This rule is easy to evade.

SITE    CHMOD would evade this rule.

BTW, we already have a rule to detect this vulnerability.

sid:2340.  

> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP serv-u LIST
> buffer overflow"; flow:to_server,established; content: "LIST -l";
> nocase; content:!"|0a|"; within:50; reference:bugtraq,10181;
> classtype:bad-unknown;)

We already have a rule to detect this vulnerability.  sid:2338.

> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP serv-u MDTM
> Command Time argument buffer overflow"; flow:to_server,established;
> content: "MDTM"; nocase; content:!"|0a|"; within:50;
> reference:bugtraq,9751; reference:bugtraq,9483;
> classtype:bad-unknown;)

This too.

2546 & 2416 fire on this vulnerability.

> # This one only covers exploits related to
> # http://securityfocus.com/bid/9751
> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP serv-u MDTM
> Command Time argument buffer overflow exploit use";
> flow:to_server,established; content: "MDTM 20031111111111"; nocase;
> content:!"|0a|"; within:50; reference:bugtraq,9751;
> classtype:bad-unknown;)

Yeah, same as above.  2546 & 2416.

Brian




More information about the Snort-sigs mailing list