Snort mailing list archives
Re: just something to note about ftpbounce keyword.
From: Will Metcalf <william.metcalf () gmail com>
Date: Thu, 18 Mar 2010 07:58:35 -0500
Why not just use the ftp bounce detection in the ftp/telnet preprocessor? The rule option was only added as a precursor to that, as development/test for a rule option is much simpler than that of a preprocessor.
I understand, hence the me failing to see a valid use case comment. With that said this keyword is still used in an active VRT rule (sid:3441), at least with the version I have. I'm really not trying to pick on you guy's I'm just trying to share interesting behavior that I'm finding, If this stuff isn't of any use to either list just tell me know and I will stop passing along the info in this format. Regards, Will On Thu, Mar 18, 2010 at 7:44 AM, Steven Sturges <steve.sturges () sourcefire com> wrote:
Why not just use the ftp bounce detection in the ftp/telnet preprocessor? The rule option was only added as a precursor to that, as development/test for a rule option is much simpler than that of a preprocessor. Will Metcalf wrote:Also looks like we can't match on anything after the PORT command... PORT 192,168,2,1,0,111 #fails alert tcp any any -> any any (msg:"ftpbounce depth content 192"; content:"192"; ftpbounce; classtype:bad-unknown; sid:27; rev:1;) #fails alert tcp any any -> any any (msg:"ftpbounce depth content 111"; content:"111"; ftpbounce; classtype:bad-unknown; sid:28; rev:1;) #works alert tcp any any -> any any (msg:"ftpbounce depth content PORT"; content:"PORT"; ftpbounce; classtype:bad-unknown; sid:29; rev:1;) Regards, Will On Wed, Mar 17, 2010 at 4:23 PM, Will Metcalf <william.metcalf () gmail com> wrote:I can't really see a valid use case here as the ftpbounce keyword is used in all of like one rule but..... Regards, Will #test 128 ftpbounce byte_test + relative #fails # #file ftpbounceattack.pcap alert tcp any any -> any any (msg:"ftpbounce + byte_test + relative"; content:"P"; byte_test:1,=,82,1,relative; ftpbounce; classtype:bad-unknown; sid:128; rev:1;) #test 129 byte_test + relative #works # #file ftpbounceattack.pcap alert tcp any any -> any any (msg:"ftpbounce + byte_test + relative"; content:"P"; byte_test:1,=,82,1,relative; classtype:bad-unknown; sid:129; rev:1;)------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
Current thread:
- just something to note about ftpbounce keyword. Will Metcalf (Mar 17)
- Re: just something to note about ftpbounce keyword. Will Metcalf (Mar 17)
- Re: just something to note about ftpbounce keyword. Steven Sturges (Mar 18)
- Re: just something to note about ftpbounce keyword. Will Metcalf (Mar 18)
- Re: just something to note about ftpbounce keyword. Nigel Houghton (Mar 18)
- Re: just something to note about ftpbounce keyword. Steven Sturges (Mar 18)
- Re: just something to note about ftpbounce keyword. Will Metcalf (Mar 17)