Snort mailing list archives
Re: [Snort-sigs] bad rule in ftp.rules? (1.8 cvs)
From: HABU Takuya <habu () yk fujitsu co jp>
Date: Tue, 10 Jul 2001 15:49:51 +0900
Hello, Mr.Fichtner, On Mon, 9 Jul 2001 22:13:34 -0400 Erik Fichtner <emf () servervault com> wrote:
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP passwd retreval attempt";
content:"RETR"; content:"passwd"; flags: A+; nocase; reference:arachnids,213; classtype:bad-unknown; sid:356; rev:2;) If you want to ignore case of "RETR", you should add nocase IMMEDIATELY after `content:"RETR";' , not after `content: "passwd"'. Otherwise snort will just ignore case of "passwd", and not catch lower case "retr". alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP passwd retreval attempt"; content:"RETR"; nocase; content:"passwd"; flags: A+; reference:arachnids,213; classtype:bad-unknown; sid:356; rev:2;) I suppose this is correct. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: [Snort-sigs] bad rule in ftp.rules? (1.8 cvs) HABU Takuya (Jul 09)