[Snort-sigs] FP for sid:1107

Jeff Kell jeff-kell at ...922...
Thu Aug 4 21:11:12 EDT 2005

Rule:   WEB-MISC ftp.pl access
Sid:   1:1107
Additional References:  given bugtraq: 1471 description, existing signature is not specific enough.
Detailed Information:  Involves a canned ftp script with a directory traversal weakness.  Existing signature only checks uricontent:"/ftp.pl"; nocase;

This particular script/exploit also requires an &dir= parameter with a directory traversal indication, so at a minimum I would add uricontent:"&dir="; nocase; distance 1; within 20; and if you want it to be even more stringent, add uricontent:"../"; distance 1; within 20;

Or just disable the rule (target is Virtual Vision FTP Browser from July 2000).  


More information about the Snort-sigs mailing list