Snort mailing list archives
Snort rules for FTP CWD,SITE,etc overflow
From: Chris Garringer <chris.garringer () tic toshiba com>
Date: 07 Feb 2003 14:30:04 -0600
I have a snort installation watching a DMZ with a FTP server. I get a lot of messages about FTP <command> Overflow. The rules all look for contect of !|0a| within 100 of the command. The alerts all have 0D 0A after the command. So why does the rule fire? Someone on the list said that IE behaved this way. But that doesn't get rid of the false positives. Is there anyway write the rule so that it wont't fire on a 0D 0A? The way it is written I don't understand why it fires in the first place, there is definitely a 0A within 100 of the FTP command. -- Chris D. Garringer Toshiba International LAN/WAN Supervisor 713-466-0277 x3756 Certified Solaris Administrator Microsoft Certified Engineer (NT) RedHat Certified Engineer ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort rules for FTP CWD,SITE,etc overflow Chris Garringer (Feb 07)