[Snort-users] space in "CWD / " rule

Chris Green cmg at ...671...
Fri Mar 2 19:28:59 EST 2001


Chris Green <cmg at ...671...> writes:

> > What does the space after slash mean?
> > Would you describe me why this is thesignature of
> > "possible warez site", or show me where is the reference?
> 
> I'll take the blame for it cause I wrote it.  Its not to catch someone
> going to the / directory. It's to catch someone going to "/ blah" (for
> many different values of blah) directory which showed up a few too
> many times on NT machines around here with world writeable ftp roots.
> 
> The other warez rules are for similar styles of things.
> 

I'll also follow up that Max pointed out to me that he doesn't think
you can make a dir with a precending space in NT ( atleast via MS
tools ).  My wires are crossed for the day and the signature was to
catch chmod 777 ~ftp crud.

He also had the great idea that the content should be split into 2
parts -

content: "CWD "; content: "/ "; to catch a
lot more possibilities than the original method.
-- 
Chris Green <cmg at ...671...>
Fame may be fleeting but obscurity is forever.




More information about the Snort-users mailing list