Snort mailing list archives
RE: Bug in 1.9.0 - or am I reading the rule wrong?
From: "Kreimendahl, Chad J" <Chad.Kreimendahl () umb com>
Date: Tue, 14 Jan 2003 09:11:31 -0600
I just tested this in build 28 of snort 2.0. Same results. -----Original Message----- From: Jason Haar [mailto:Jason.Haar () trimble co nz] Sent: Monday, January 13, 2003 4:22 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Bug in 1.9.0 - or am I reading the rule wrong? There's a bunch of FTP alert rules that are causing false positives: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP USER overflow attempt"; flow:to_server,established,no_stream; content:"USER "; nocase; content:!"|0a|"; within:100; etc,etc) (also "FTP MKD overflow attem","FTP site...",etc) This says to me that it will only trigger when an FTP connection is made that contains "USER " and doesn't contain a |0a| within 100 bytes - correct? Then why did I get an alert on this content? 55 53 45 52 20 XXXXXXXXX 0D 0A That corresponds to "USER XXXXXX\r\n" Any ideas why snort missed the 0a at the end? This happens for multiple usernames - i.e. of different lengths. Redhat 7.1, running snort 1.9.0 with libpcap-0.6.2. The only other odd thing is that it's monitoring a VLAN - so I've used a expression of "vlan 1" on the command-line options to snort. Thanks! -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------- This SF.NET email is sponsored by: FREE SSL Guide from Thawte are you planning your Web Server Security? Click here to get a FREE Thawte SSL guide and find the answers to all your SSL security issues. http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.NET email is sponsored by: FREE SSL Guide from Thawte are you planning your Web Server Security? Click here to get a FREE Thawte SSL guide and find the answers to all your SSL security issues. http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Bug in 1.9.0 - or am I reading the rule wrong? Jason Haar (Jan 13)
- Re: Bug in 1.9.0 - or am I reading the rule wrong? Chris Green (Jan 14)
- Re: Bug in 1.9.0 - or am I reading the rule wrong? Jason Haar (Jan 15)
- Re: Bug in 1.9.0 - or am I reading the rule wrong? Chris Green (Jan 16)
- Re: Bug in 1.9.0 - or am I reading the rule wrong? Chris Green (Jan 16)
- Re: Bug in 1.9.0 - or am I reading the rule wrong? Jason Haar (Jan 15)
- Re: Bug in 1.9.0 - or am I reading the rule wrong? Chris Green (Jan 14)
- <Possible follow-ups>
- RE: Bug in 1.9.0 - or am I reading the rule wrong? Kreimendahl, Chad J (Jan 14)
- Re: Bug in 1.9.0 - or am I reading the rule wrong? Chris Green (Jan 14)
- RE: Bug in 1.9.0 - or am I reading the rule wrong? Kreimendahl, Chad J (Jan 14)
- Re: Bug in 1.9.0 - or am I reading the rule wrong? Chris Green (Jan 14)
- RE: Bug in 1.9.0 - or am I reading the rule wrong? Kreimendahl, Chad J (Jan 14)