Snort mailing list archives
Question on FTP rules
From: Chris Garringer <chris.garringer () tic toshiba com>
Date: 27 Jan 2003 12:21:58 -0600
I have begun implementing snort in our system. I am seeing several alerts on ftp connections to the FTP server. All are warning of buffer overflow attempts. I am using the downloaded rules and all the rules firing have 21 (msg:"FTP CWD overflow attempt"; flow:to_server,established; content:"CWD "; nocase; content:!"|0a|"; within:100; If I am reading this correctly it is looking for a cwd command without a 0a ending the string within 100 characters. Looking at the instances it fired, this did not apply to any of them, for example. Payload (Hex): 4357 4420 7075 620D 0A Payload (ASCII): CWD pub.. This appears to end with a 0a. Why is the rule firing in this case? Is this a false positive, as it appears? -- Chris D. Garringer Toshiba International LAN/WAN Supervisor 713-466-0277 x3756 Master Certified Novell Engineer Certified Solaris Administrator Microsoft Certified Engineer (NT) RedHat Certified Engineer ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Question on FTP rules Chris Garringer (Jan 27)