[Snort-users] ftp glob rule

Max Vision vision at ...4...
Sat Apr 21 03:13:35 EDT 2001


Hi,

I published IDS487 on March 16 to detect this,
http://whitehats.com/info/IDS487

My rule catches all variations of the attack and should not false positive
or false negative.

Question: you have multiple content rules that are the same string, does
snort really discern that these are separate strings to be detected, or
will each one consider the entire payload (therefor meaning that the
second two are redundant)?  My rule watches for "|2f2a|".

Max

On Fri, 20 Apr 2001, Brian Caswell wrote:

> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"EXPLOIT ftp glob
> attempt"; content:"|2a|"; offset:5; content:"|2f|"; content:"|2a|";
> content:"|2f|"; reference:cve,CAN-2001-0247; reference:bugtraq,2548;
> classtype:attempted-admin;)
>
> This triggers the FBSD STAT & OpenBSD LIST exploits.
>
> 04/20-21:50:58.784113 192.168.0.1:7545 -> 192.168.0.2:21
> TCP TTL:64 TOS:0x0 ID:52015 IpLen:20 DgmLen:562 DF
> ***AP*** Seq: 0xC6957C57  Ack: 0xE33EE09F  Win: 0x4333  TcpLen: 32
> TCP Options (3) => NOP NOP TS: 50142000 714208
> 4C 49 53 54 20 2A 2F 2E 2E 2F 2A 2F 2E 2E 2F 2A  LIST */../*/../*
> 2F 2E 2E 2F 2A 2F 2E 2E 2F 2A 2F 2E 2E 2F        /../*/../*/../
>
> --
> Brian Caswell
> The MITRE Corporation
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>





More information about the Snort-users mailing list