[Snort-sigs] Proposed improvement for SID 553

nnposter at ...592... nnposter at ...592...
Mon Mar 21 14:49:06 EST 2005


Frank Knobbe wrote:
> it seems that SID 553 (POLICY FTP anonymous login attempt) falses easily
> on user names like ftp-blahuser. The sig currently reads:
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP anonymous
> login attempt"; flow:to_server,established; content:"USER"; nocase;
> pcre:"/^USER\s+(anonymous|ftp)/smi"; classtype:misc-activity; sid:553;
> rev:7;)
> 
> I propose to change it to:
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP anonymous
> login attempt"; flow:to_server,established; content:"USER"; nocase;
> pcre:"/^USER\s+(anonymous|ftp)(\x0d|\x0a)/smi"; classtype:misc-activity;
> sid:553; rev:7;)

This is vulnerable to space evasion. Try this instead:

    /^USER\s+(anonymous|ftp)\s/smi

> Alternatively, a check for word boundary on (anonymous|ftp) might work
> too.

It would not. Dash *is* causing a word boundary.


Cheers,
nnposter




More information about the Snort-sigs mailing list