[Snort-users] Bug in 1.9.0 - or am I reading the rule wrong?

Jason Haar Jason.Haar at ...294...
Mon Jan 13 14:23:03 EST 2003

There's a bunch of FTP alert rules that are causing false positives:

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP USER overflow
attempt"; flow:to_server,established,no_stream;  content:"USER "; nocase;
content:!"|0a|"; within:100; etc,etc)

(also "FTP MKD overflow attem","FTP site...",etc)

This says to me that it will only trigger when an FTP connection is made
that contains "USER " and doesn't contain a |0a| within 100 bytes - correct?

Then why did I get an alert on this content?

55 53 45 52 20 XXXXXXXXX 0D 0A

That corresponds to "USER XXXXXX\r\n"

Any ideas why snort missed the 0a at the end? This happens for multiple
usernames - i.e. of different lengths.

Redhat 7.1, running snort 1.9.0 with libpcap-0.6.2. The only other odd thing
is that it's monitoring a VLAN - so I've used a expression of "vlan 1" on
the command-line options to snort.



Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

More information about the Snort-users mailing list