[Snort-sigs] pcre syntax error for sid 1229

Milani Paolo Paolo.Milani at ...1843...
Fri Mar 19 04:48:04 EST 2004


sid 1229 "FTP CWD ..." (from a 2.1 snapshot which is only a few days old) gives a lot of false positives because of an error in the 
regular expression syntax: the special character '.' (match anything except $) was not escaped.

This is my fixed version. (I only escaped the dots).

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD ..."; flow:to_server,established; content:"CWD"; nocase; pcre:"/^CWD\s[^\n]*?\.\.\./smi"; reference:bugtraq,9237; classtype:bad-unknown; sid:1229; rev:6;)

As a sidenote: isn't using non-greedy quantifiers very bad in terms of performance? 

Paolo Milani

This message and its attachments are addressed solely to the persons
above and may contain confidential information. If you have received
the message in error, be informed that any use of the content hereof
is prohibited. Please return it immediately to the sender and delete
the message. Should you have any questions, please contact us by
replying to MailAdmin at ...1844... Thank you

More information about the Snort-sigs mailing list