[Snort-users] space in "CWD / " rule
cmg at ...671...
Fri Mar 2 19:28:59 EST 2001
Chris Green <cmg at ...671...> writes:
> > What does the space after slash mean?
> > Would you describe me why this is thesignature of
> > "possible warez site", or show me where is the reference?
> I'll take the blame for it cause I wrote it. Its not to catch someone
> going to the / directory. It's to catch someone going to "/ blah" (for
> many different values of blah) directory which showed up a few too
> many times on NT machines around here with world writeable ftp roots.
> The other warez rules are for similar styles of things.
I'll also follow up that Max pointed out to me that he doesn't think
you can make a dir with a precending space in NT ( atleast via MS
tools ). My wires are crossed for the day and the signature was to
catch chmod 777 ~ftp crud.
He also had the great idea that the content should be split into 2
content: "CWD "; content: "/ "; to catch a
lot more possibilities than the original method.
Chris Green <cmg at ...671...>
Fame may be fleeting but obscurity is forever.
More information about the Snort-users