[Snort-users] space in "CWD / " rule

Chris Green cmg at ...671...
Fri Mar 2 12:51:29 EST 2001


"Habu Takuya" <habu at ...1066...> writes:

> Hello,
> I have a question about "FTP CWD / " rule.
> 
> Here is the rule:
> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 \
> (msg:"FTP CWD / - possible warez site"; flags: A+; \ content:"CWD / ";
> nocase; depth: 6;)
> 
> When someone attempts to go to root directory (i.e. "cd /"),
> the content is "CWD /" WITHOUT space after slash, I believe.
> So It doesn't match.
> (if it means this attempt, the rule might be
> content: "CWD /|0a|" or content: "CWD /|0d 0a|")
> 
> What does the space after slash mean?
> Would you describe me why this is thesignature of
> "possible warez site", or show me where is the reference?

I'll take the blame for it cause I wrote it.  Its not to catch someone
going to the / directory. It's to catch someone going to "/ blah" (for
many different values of blah) directory which showed up a few too
many times on NT machines around here with world writeable ftp roots.

The other warez rules are for similar styles of things.

HTH,
-- 
Chris Green <cmg at ...671...>
Logic, my dear Zoe, merely enables one to be wrong with authority.
                - Doctor Who, "The Wheel in Space"




More information about the Snort-users mailing list