Snort mailing list archives

Question on FTP rules

From: Chris Garringer <chris.garringer () tic toshiba com>
Date: 27 Jan 2003 12:21:58 -0600

I have begun implementing snort in our system.  I am seeing several
alerts on ftp connections to the FTP server.  All are warning of buffer
overflow attempts.  I am using the downloaded rules and all the rules
firing have  21 (msg:"FTP CWD overflow attempt";
flow:to_server,established; content:"CWD "; nocase; content:!"|0a|";
within:100; 

If I am reading this correctly it is looking for a cwd command without a
0a ending the string within 100 characters.   Looking at the instances
it fired, this did not apply to any of them, for example.
Payload (Hex):
4357 4420 7075 620D 0A
Payload (ASCII):
CWD pub..

This appears to end with a 0a.  Why is the rule firing in this case?  Is
this a false positive, as it appears?


-- 
Chris D. Garringer
Toshiba International
LAN/WAN Supervisor
713-466-0277 x3756
Master Certified Novell Engineer
Certified Solaris Administrator
Microsoft Certified Engineer (NT)
RedHat Certified Engineer



-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Question on FTP rules Chris Garringer (Jan 27)