[Snort-sigs] False positive and negative in 2416.5 (FTP invalid MDTM command attempt)

nnposter nnposter at ...592...
Fri Feb 25 13:21:53 EST 2005

Rule:  FTP invalid MDTM command attempt

Sid: 2416

False negative:
Simple space evasion after MDTM

False positive:
Any file named \d+[-+]\D such as:
MDTM 123-abc

I am proposing the following modification:

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 
(msg:"FTP invalid MDTM command attempt"; flow:to_server,established; 
content:"MDTM"; nocase; 
pcre:"/^MDTM[ \t]+\d+[-+]\D\S{46}/smi"; 
reference:bugtraq,9751; reference:cve,2001-1021; reference:cve,2004-0330; 
classtype:attempted-admin; sid:2416; rev:6;)

More information about the Snort-sigs mailing list