[Snort-users] ftp glob rule
bmc at ...312...
Sat Apr 21 10:06:57 EDT 2001
Max Vision wrote:
> I published IDS487 on March 16 to detect this,
> My rule catches all variations of the attack and should not false positive
> or false negative.
> Question: you have multiple content rules that are the same string, does
> snort really discern that these are separate strings to be detected, or
> will each one consider the entire payload (therefor meaning that the
> second two are redundant)? My rule watches for "|2f2a|".
The reason I use multiple seperate |2f| |2a| is that all of those can be
using LIST *?/?*?/?*?/?*?/?*?/*?*/ or STAT A*/../A*/../A*/ work.
The second version is from the freebsd exploit from venglin. searching
for /* doesn't catch either of those two examples. I tried |2f2a| and I
see that false positive quite a bit. If we really wanted to get nitty
gritty, if you build a directory structure before hand, you could really
screw with someones head. For example, STAT A?B/../C*D/../D*F/../ From
playing around with the venglin exploit for a while last night, I found
you must use / and you must use * to cause issues. Using the regex ?
does not seem to have the affect.
I just false negatived on my rule. HRPMF. Marty, you need to fix your
implementation regex:""; Now would be a great time for
The MITRE Corporation
More information about the Snort-users