[Snort-users] space in "CWD / " rule

Habu Takuya habu at ...1066...
Fri Mar 2 06:24:58 EST 2001

I have a question about "FTP CWD / " rule.

Here is the rule:
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 \
(msg:"FTP CWD / - possible warez site"; flags: A+; \ content:"CWD / ";
nocase; depth: 6;)

When someone attempts to go to root directory (i.e. "cd /"),
the content is "CWD /" WITHOUT space after slash, I believe.
So It doesn't match.
(if it means this attempt, the rule might be
content: "CWD /|0a|" or content: "CWD /|0d 0a|")

What does the space after slash mean?
Would you describe me why this is thesignature of
"possible warez site", or show me where is the reference?

I couldn't get any information from information pages
such like arachNIDS...

More information about the Snort-users mailing list