[Snort-sigs] Rules to detect recent Serv-u vulnerabilities

Javier Fernandez-Sanguino jfernandez at ...2106...
Tue Jun 15 09:56:10 EDT 2004


Brian wrote:

> On Fri, May 07, 2004 at 10:15:07AM +0200, Javier Fernandez-Sanguino wrote:
> 
>>alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP serv-u CHMOD
>>buffer overflow"; flow:to_server,established; content: "SITE CHMOD";
>>nocase;  content:!"|0a|"; within:50; reference:bugtraq,9675;
>>reference: nessus, 12037; classtype:bad-unknown;)
> 
> This rule is easy to evade.
> 
> SITE    CHMOD would evade this rule.

You are right. It seems those weren't in my Snort setup (2.0 Debian 
stable backported packages, self-made). I will have to update the 
ruleset of those packages with the latest snapshot... Sorry for that.

> 
> BTW, we already have a rule to detect this vulnerability.

It's missing a bugtraq reference (9675)

>>alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP serv-u LIST
>>buffer overflow"; flow:to_server,established; content: "LIST -l";
>>nocase; content:!"|0a|"; within:50; reference:bugtraq,10181;
>>classtype:bad-unknown;)
> 
> 
> We already have a rule to detect this vulnerability.  sid:2338.

It describes only GtkFtpd, maybe Serv-U should be added there? It does 
have the Bugtraq reference 10181.... which is related to Serv-U....

>>alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP serv-u MDTM
>>Command Time argument buffer overflow"; flow:to_server,established;
>>content: "MDTM"; nocase; content:!"|0a|"; within:50;
>>reference:bugtraq,9751; reference:bugtraq,9483;
>>classtype:bad-unknown;)
> This too.
> 
> 2546 & 2416 fire on this vulnerability.

None of them reference Bugtraq #9483 :-)

>># This one only covers exploits related to
>># http://securityfocus.com/bid/9751
>>alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP serv-u MDTM
>>Command Time argument buffer overflow exploit use";
>>flow:to_server,established; content: "MDTM 20031111111111"; nocase;
>>content:!"|0a|"; within:50; reference:bugtraq,9751;
>>classtype:bad-unknown;)
> 
> 
> Yeah, same as above.  2546 & 2416.

Yeah, 2546 references Bugtraq #9751.

Thanks

Javier






More information about the Snort-sigs mailing list