[Snort-users] ftp .rules

Jeremy Hoel jthoel at ...11827...
Sat Oct 27 12:08:29 EDT 2012

Please send these questions to the list. There are smart people on there
that can normally better explain the rules better then I can.

>From what I can tell, its traffic coming from an external_net ip to a
home_net one in on tcp port 21 and the packet contain MDTM around 100 bytes

If you look at the cve it will explain what software is vulnerable and if
you don't run that software then you can disable this rule.
On Oct 27, 2012 5:17 AM, "Akinwale Fasuru" <fashman2k1 at ...131...> wrote:

> Can you give me the explanation of what this ftp.rule does
> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP MDTM overflow
> attempt"; flow:to_server,established; content:"MDTM"; nocase; isdataat:100,
> relative; pcre:"/^MDTM(?!\n)\s[^\n]{100}/smi"; metadata:service ftp;
> reference:bugtraq,9751; reference:cve,2001-1021; reference:cve,2004-0330;
> reference: nessus,12080; classtype:attempted-admin; sid:2546; rev:12;)
> Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121027/f2679dd3/attachment.html>

More information about the Snort-users mailing list