[Snort-users] help for FTP EXPLOIT wu-ftpd 2.6.0 site exec overflow

Brian Caswell bmc at ...312...
Fri Mar 23 11:26:35 EST 2001


chandrasekhar radhakrishnan wrote:
> I have been using snort-1.6.3.I have tried to test the
> FTP exploit wu-ftpd 2.6.0 site exec overflow.The
> system has failed to detect this.
> Also does this version of snort not take the + option
> for FLAGS parameter.What is the solution to this ; can
> I give all the parameters-UAPRSF12.
> thanks

UM... Thats why snort doesn't detect it.  If you specify any flags, then
the packet MUST have those flags and only those flags.  You can modify
that behavior with +, -, and !

If you specify ALL flags, then you are only looking for packets that
have ALL flags set.

Upgrade snort to 1.7.0 so you can support the + option.

If you still have issues, capture raw pcap file (tcpdump -w) and e-mail
that to me.  I'll take a look at the rule.

-- 
Brian Caswell
The MITRE Corporation




More information about the Snort-users mailing list