[Snort-users] Question on FTP rules

Chris Garringer chris.garringer at ...7867...
Mon Jan 27 12:36:28 EST 2003

I have begun implementing snort in our system.  I am seeing several
alerts on ftp connections to the FTP server.  All are warning of buffer
overflow attempts.  I am using the downloaded rules and all the rules
firing have  21 (msg:"FTP CWD overflow attempt";
flow:to_server,established; content:"CWD "; nocase; content:!"|0a|";

If I am reading this correctly it is looking for a cwd command without a
0a ending the string within 100 characters.   Looking at the instances
it fired, this did not apply to any of them, for example.
Payload (Hex):
4357 4420 7075 620D 0A
Payload (ASCII):
CWD pub..

This appears to end with a 0a.  Why is the rule firing in this case?  Is
this a false positive, as it appears?

Chris D. Garringer
Toshiba International
LAN/WAN Supervisor
713-466-0277 x3756
Master Certified Novell Engineer
Certified Solaris Administrator
Microsoft Certified Engineer (NT)
RedHat Certified Engineer

More information about the Snort-users mailing list