Snort mailing list archives

Re: just something to note about ftpbounce keyword.

From: Will Metcalf <william.metcalf () gmail com>
Date: Thu, 18 Mar 2010 07:58:35 -0500

Why not just use the ftp bounce detection in the ftp/telnet
preprocessor?  The rule option was only added as a precursor
to that, as development/test for a rule option is much simpler
than that of a preprocessor.


I understand, hence the me failing to see a valid use case comment.
With that said this keyword is still used in an active VRT rule
(sid:3441), at least with the version I have. I'm really not trying to
pick on you guy's I'm just trying to share interesting behavior that
I'm finding, If this stuff isn't of any use to either list just tell
me know and I will stop passing along the info in this format.

Regards,

Will

On Thu, Mar 18, 2010 at 7:44 AM, Steven Sturges
<steve.sturges () sourcefire com> wrote:

Why not just use the ftp bounce detection in the ftp/telnet
preprocessor?  The rule option was only added as a precursor
to that, as development/test for a rule option is much simpler
than that of a preprocessor.

Will Metcalf wrote:

Also looks like we can't match on anything after the PORT command...

PORT 192,168,2,1,0,111

#fails
alert tcp any any -> any any (msg:"ftpbounce depth content 192";
content:"192"; ftpbounce; classtype:bad-unknown; sid:27; rev:1;)

#fails
alert tcp any any -> any any (msg:"ftpbounce depth content 111";
content:"111"; ftpbounce; classtype:bad-unknown; sid:28; rev:1;)

#works
alert tcp any any -> any any (msg:"ftpbounce depth content PORT";
content:"PORT"; ftpbounce; classtype:bad-unknown; sid:29; rev:1;)

Regards,

Will

On Wed, Mar 17, 2010 at 4:23 PM, Will Metcalf <william.metcalf () gmail com> wrote:

I can't really see a valid use case here as the ftpbounce keyword is
used in all of like one rule but.....

Regards,

Will

#test 128 ftpbounce byte_test + relative
#fails
#
#file ftpbounceattack.pcap
alert tcp any any -> any any (msg:"ftpbounce + byte_test + relative";
content:"P"; byte_test:1,=,82,1,relative; ftpbounce;
classtype:bad-unknown; sid:128; rev:1;)

#test 129 byte_test + relative
#works
#
#file ftpbounceattack.pcap
alert tcp any any -> any any (msg:"ftpbounce + byte_test + relative";
content:"P"; byte_test:1,=,82,1,relative;  classtype:bad-unknown;
sid:129; rev:1;)


------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel


------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Current thread:

just something to note about ftpbounce keyword. Will Metcalf (Mar 17)
- Re: just something to note about ftpbounce keyword. Will Metcalf (Mar 17)
  - Re: just something to note about ftpbounce keyword. Steven Sturges (Mar 18)
    - Re: just something to note about ftpbounce keyword. Will Metcalf (Mar 18)
    - Re: just something to note about ftpbounce keyword. Nigel Houghton (Mar 18)