Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Bug in 1.9.0 - or am I reading the rule wrong?

From: Jason Haar <Jason.Haar () trimble co nz>
Date: Tue, 14 Jan 2003 11:22:23 +1300
There's a bunch of FTP alert rules that are causing false positives:

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP USER overflow
attempt"; flow:to_server,established,no_stream;  content:"USER "; nocase;
content:!"|0a|"; within:100; etc,etc)

(also "FTP MKD overflow attem","FTP site...",etc)

This says to me that it will only trigger when an FTP connection is made
that contains "USER " and doesn't contain a |0a| within 100 bytes - correct?

Then why did I get an alert on this content?

55 53 45 52 20 XXXXXXXXX 0D 0A

That corresponds to "USER XXXXXX\r\n"

Any ideas why snort missed the 0a at the end? This happens for multiple
usernames - i.e. of different lengths.

Redhat 7.1, running snort 1.9.0 with libpcap-0.6.2. The only other odd thing
is that it's monitoring a VLAN - so I've used a expression of "vlan 1" on
the command-line options to snort.

Thanks!

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1


-------------------------------------------------------
This SF.NET email is sponsored by: FREE  SSL Guide from Thawte
are you planning your Web Server Security? Click here to get a FREE
Thawte SSL guide and find the answers to all your  SSL security issues.
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: