[Snort-sigs] Proposed improvement for SID 553

Frank Knobbe frank at ...1978...
Mon Mar 21 14:11:39 EST 2005


Greetings,

it seems that SID 553 (POLICY FTP anonymous login attempt) falses easily
on user names like ftp-blahuser. The sig currently reads:

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP anonymous
login attempt"; flow:to_server,established; content:"USER"; nocase;
pcre:"/^USER\s+(anonymous|ftp)/smi"; classtype:misc-activity; sid:553;
rev:7;)

I propose to change it to:

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP anonymous
login attempt"; flow:to_server,established; content:"USER"; nocase;
pcre:"/^USER\s+(anonymous|ftp)(\x0d|\x0a)/smi"; classtype:misc-activity;
sid:553; rev:7;)

Alternatively, a check for word boundary on (anonymous|ftp) might work
too.

Regards,
Frank

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20050321/d95fc66b/attachment.sig>


More information about the Snort-sigs mailing list