[Snort-users] Question on FTP rules
chris.garringer at ...7867...
Mon Jan 27 12:36:28 EST 2003
I have begun implementing snort in our system. I am seeing several
alerts on ftp connections to the FTP server. All are warning of buffer
overflow attempts. I am using the downloaded rules and all the rules
firing have 21 (msg:"FTP CWD overflow attempt";
flow:to_server,established; content:"CWD "; nocase; content:!"|0a|";
If I am reading this correctly it is looking for a cwd command without a
0a ending the string within 100 characters. Looking at the instances
it fired, this did not apply to any of them, for example.
4357 4420 7075 620D 0A
This appears to end with a 0a. Why is the rule firing in this case? Is
this a false positive, as it appears?
Chris D. Garringer
Master Certified Novell Engineer
Certified Solaris Administrator
Microsoft Certified Engineer (NT)
RedHat Certified Engineer
More information about the Snort-users