Snort mailing list archives

Re: [Snort-sigs] bad rule in ftp.rules? (1.8 cvs)

From: HABU Takuya <habu () yk fujitsu co jp>
Date: Tue, 10 Jul 2001 15:49:51 +0900

Hello, Mr.Fichtner,

On Mon, 9 Jul 2001 22:13:34 -0400
Erik Fichtner <emf () servervault com> wrote:

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP passwd retreval attempt";

content:"RETR"; content:"passwd"; flags: A+; nocase;
reference:arachnids,213; classtype:bad-unknown; sid:356; rev:2;)

 If you want to ignore case of "RETR", you should add nocase
IMMEDIATELY after `content:"RETR";' , not after `content: "passwd"'.
 Otherwise snort will just ignore case of "passwd", and not catch 
lower case "retr".

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP passwd retreval
attempt"; content:"RETR"; nocase; content:"passwd"; flags: A+;
reference:arachnids,213; classtype:bad-unknown; sid:356; rev:2;)

I suppose this is correct.


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: [Snort-sigs] bad rule in ftp.rules? (1.8 cvs) HABU Takuya (Jul 09)