[Snort-sigs] Rules to detect recent Serv-u vulnerabilities

Javier Fernandez-Sanguino jfernandez at ...2106...
Tue Jun 15 10:43:01 EDT 2004


Oh, and reviewing CVE 
(http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ftp) I believe the 
probably CVE references might be relevant too:

- sid:361 should probably add CVE-1999-0080 and CVE-1999-0955 (SITE EXEC)

- sid:1379 should probably add CAN-2001-0325, CAN-2001-1021

- sid:1734 should probably add CAN-1999-1510, CAN-1999-1519, 
CAN-1999-1539 and CAN-1999-1514, CVE-2000-0761, CAN-2001-0256, 
CAN-2002-1522, CAN-2003-0271, CAN-2004-0286 (USER overflow)

- sid:1919 should probably add CVE-1999-0219, CAN-1999-1510 
CAN-1999-1058, CAN-2002-0405 and CAN-2001-0781(CWD overflow)

- sid:1972 should probably add CAN-1999-1519, CAN-1999-1539, 
CAN-2002-0895 (PASS overflow)

- sid:1975 should probably add CAN-2001-1021

- sid:1976 should probably add CAN-2000-0133 and CAN-2001-1021

- sid:1992 should probably add CVE-2002-1054

- sid:2179 should probably add CVE-2000-0699

- sid:2340 should add CVE-1999-0838

- sid:2343 should add CAN-2000-0133

- sid:2373 should probably add CAN-2000-0133, CAN-2001-1021

- sid:2374 should probably add CAN-1999-1544

- sid:2338 should add CAN-2000-0129, CVE-1999-0349 and CAN-1999-1510 
(LIST overflow)

- sid:2389 should add CAN-2000-0133, CAN-2001-1021

- sid:2391 should add CAN-2000-0133

- sid:2392 should add CAN-2004-0287, CAN-2004-0298

- sid:2546 and sid:2416 should add CAN-2001-1021, CAN-2004-0330


After digging I now why I didn't had these rules, I don't find them in 
the latest snapshot or in the CVS  (ftp.rules file). There seem to be 
a number of SIDs missing from the snapshot ruleset, am I missing 
something? Should these rules be available in the 2.0 and 2.1 snapshots?

Best regards

Javier

PS: For the 2.0 snapshot there are quite a lot of them....
$ ( cat sid-msg.map |grep -v ^# | awk '{ print $1 }'  | while read 
sid; do [ -z "`grep sid:$sid *.rules`" ] && echo $sid ; done  ) | wc -l
147
(its 56 for the 2.1 snapshot, whileas 0 for the latest CVS)





More information about the Snort-sigs mailing list