[Snort-users] ftp glob rule

Brian Caswell bmc at ...312...
Fri Apr 20 23:28:40 EDT 2001


alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"EXPLOIT ftp glob
attempt"; content:"|2a|"; offset:5; content:"|2f|"; content:"|2a|";
content:"|2f|"; reference:cve,CAN-2001-0247; reference:bugtraq,2548;
classtype:attempted-admin;)

This triggers the FBSD STAT & OpenBSD LIST exploits.

04/20-21:50:58.784113 192.168.0.1:7545 -> 192.168.0.2:21
TCP TTL:64 TOS:0x0 ID:52015 IpLen:20 DgmLen:562 DF
***AP*** Seq: 0xC6957C57  Ack: 0xE33EE09F  Win: 0x4333  TcpLen: 32
TCP Options (3) => NOP NOP TS: 50142000 714208
4C 49 53 54 20 2A 2F 2E 2E 2F 2A 2F 2E 2E 2F 2A  LIST */../*/../*
2F 2E 2E 2F 2A 2F 2E 2E 2F 2A 2F 2E 2E 2F        /../*/../*/../

-- 
Brian Caswell
The MITRE Corporation




More information about the Snort-users mailing list