[Snort-sigs] Crusoe Researches offer new rule for detecting IIS FTP recursion DoS

rmkml rmkml at ...324...
Fri Sep 4 11:29:19 EDT 2009


Hi,

Crusoe Researches offering a new rule for detecting IIS FTP recursion DoS:
  http://www.Crusoe-Researches.com/en/ftpmicrosoftiisv5v6listrecursiveglobbingdirtraversaldos.txt
remember to adjust the src/dst ips/ports variables!

Credits:
Crusoe Researches
http://www.Crusoe-Researches.com
contact at ...3281...
=> Crusoe Researches have more than 4160 UNIQ 'snort' rules for Commercial Access
             (Contact me directly if you are interested)

Crusoe Researches support Bro idps v1.4.6 project format rules (http://www.bro-ids.org/):
signature sid-94160 {
  ip-proto == tcp
  dst-port == ftp_ports
  event "FTP Microsoft IISv5v6 LIST recursive and globbing and dir traversal DoS attempt"
  tcp-state established,originator
  payload /.*[Ll][Ii][Ss][Tt][[:blank:]]*[^\n]*\-[Rr][^\n]*\*[^\n]*\.\.(\\|\/)/
}

Happy Detect
Regards
Rmkml
Crusoe-Researches.com




More information about the Snort-sigs mailing list