Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Snort rules for FTP CWD,SITE,etc overflow

From: Chris Garringer <chris.garringer () tic toshiba com>
Date: 07 Feb 2003 14:30:04 -0600
I have a snort installation watching a DMZ with a FTP server.  I get a
lot of messages about FTP <command> Overflow.  The rules all look for
contect of !|0a| within 100 of the command.  The alerts all have 0D 0A
after the command.  So why does the rule fire?  Someone on the list said
that IE behaved this way.  But that doesn't get rid of the false
positives.  Is there anyway write the rule so that it wont't fire on a
0D 0A?  The way it is written I don't understand why it fires in the
first place, there is definitely a 0A within 100 of the FTP command.
 
-- 
Chris D. Garringer
Toshiba International
LAN/WAN Supervisor
713-466-0277 x3756
Certified Solaris Administrator
Microsoft Certified Engineer (NT)
RedHat Certified Engineer



-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: