[Snort-users] ftp glob rule

Max Vision vision at ...4...
Sat Apr 21 16:10:29 EDT 2001


Ah!  I stand corrected.  I hadn't looked closely enough at the other
attacks.  Looks like both rules have problems and that we should find
another way to catch this (though yours would catch more variations of the
attack than mine - you might also want to remove the depth tag or
whitespace could be prepended).  Your proposed regex would be perfect, if
it would work in snort.. I haven't looked, but it seems if hex is
converted to its ascii equivelent first, then the regex routine would
interpret the "*" as a wildcard, and not match on it.  Any insight on this
from the author of the mSearchREG routine would be appreciated :)

Max

On Sat, 21 Apr 2001, Brian Caswell wrote:
> The reason I use multiple seperate |2f| |2a| is that all of those can be
> easily bypassed.
>
> using LIST *?/?*?/?*?/?*?/?*?/*?*/ or STAT A*/../A*/../A*/ work.
>






More information about the Snort-users mailing list