[Snort-sigs] New rule for detect ftp MKD overflow

Alex Kirk alex.kirk at ...435...
Tue Oct 11 07:16:57 EDT 2005


That rule already exists as SID 1973:

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP MKD overflow 
attempt"; flow:to_server,established; content:"MKD"; nocase; 
isdataat:100,relative; pcre:"/^MKD\s[^\n]{100}/smi"; 
reference:bugtraq,612; reference:bugtraq,7278; reference:bugtraq,9872; 
reference:cve,1999-0911; reference:nessus,12108; 
classtype:attempted-admin; sid:1973; rev:9;)

I'll investigate your reference and look into getting it added if 
appropriate.

Alex Kirk
Community Rules Maintainer
Sourcefire, Inc.

> Hi,
>
> Please check and add this rule :
>
> ftp.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP MKD 
> overflow attempt"; content:"MKD"; nocase; pcre:"/^MKD\s[^\n]{100}/smi";
> reference:bugtraq,11772; classtype:attempted-admin;)
>
> Regards
> Rmkml
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by:
> Power Architecture Resource Center: Free content, downloads, discussions,
> and more. http://solutions.newsforge.com/ibmarch.tmpl
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs






More information about the Snort-sigs mailing list