[Snort-users] Bug in 1.9.0 - or am I reading the rule wrong?
Jason.Haar at ...294...
Mon Jan 13 14:23:03 EST 2003
There's a bunch of FTP alert rules that are causing false positives:
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP USER overflow
attempt"; flow:to_server,established,no_stream; content:"USER "; nocase;
content:!"|0a|"; within:100; etc,etc)
(also "FTP MKD overflow attem","FTP site...",etc)
This says to me that it will only trigger when an FTP connection is made
that contains "USER " and doesn't contain a |0a| within 100 bytes - correct?
Then why did I get an alert on this content?
55 53 45 52 20 XXXXXXXXX 0D 0A
That corresponds to "USER XXXXXX\r\n"
Any ideas why snort missed the 0a at the end? This happens for multiple
usernames - i.e. of different lengths.
Redhat 7.1, running snort 1.9.0 with libpcap-0.6.2. The only other odd thing
is that it's monitoring a VLAN - so I've used a expression of "vlan 1" on
the command-line options to snort.
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
More information about the Snort-users