[Snort-users] Bug in 1.9.0 - or am I reading the rule wrong?

Kreimendahl, Chad J Chad.Kreimendahl at ...4716...
Tue Jan 14 07:12:05 EST 2003

I just tested this in build 28 of snort 2.0.  Same results.

-----Original Message-----
From: Jason Haar [mailto:Jason.Haar at ...294...] 
Sent: Monday, January 13, 2003 4:22 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Bug in 1.9.0 - or am I reading the rule wrong?

There's a bunch of FTP alert rules that are causing false positives:

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP USER overflow
attempt"; flow:to_server,established,no_stream;  content:"USER ";
content:!"|0a|"; within:100; etc,etc)

(also "FTP MKD overflow attem","FTP site...",etc)

This says to me that it will only trigger when an FTP connection is made
that contains "USER " and doesn't contain a |0a| within 100 bytes -

Then why did I get an alert on this content?

55 53 45 52 20 XXXXXXXXX 0D 0A

That corresponds to "USER XXXXXX\r\n"

Any ideas why snort missed the 0a at the end? This happens for multiple
usernames - i.e. of different lengths.

Redhat 7.1, running snort 1.9.0 with libpcap-0.6.2. The only other odd
is that it's monitoring a VLAN - so I've used a expression of "vlan 1"
the command-line options to snort.



Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

This SF.NET email is sponsored by: FREE  SSL Guide from Thawte
are you planning your Web Server Security? Click here to get a FREE
Thawte SSL guide and find the answers to all your  SSL security issues.
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list