Snort mailing list archives
Re: just something to note about ftpbounce keyword.
From: Steven Sturges <steve.sturges () sourcefire com>
Date: Thu, 18 Mar 2010 08:44:56 -0400
Why not just use the ftp bounce detection in the ftp/telnet preprocessor? The rule option was only added as a precursor to that, as development/test for a rule option is much simpler than that of a preprocessor. Will Metcalf wrote:
Also looks like we can't match on anything after the PORT command... PORT 192,168,2,1,0,111 #fails alert tcp any any -> any any (msg:"ftpbounce depth content 192"; content:"192"; ftpbounce; classtype:bad-unknown; sid:27; rev:1;) #fails alert tcp any any -> any any (msg:"ftpbounce depth content 111"; content:"111"; ftpbounce; classtype:bad-unknown; sid:28; rev:1;) #works alert tcp any any -> any any (msg:"ftpbounce depth content PORT"; content:"PORT"; ftpbounce; classtype:bad-unknown; sid:29; rev:1;) Regards, Will On Wed, Mar 17, 2010 at 4:23 PM, Will Metcalf <william.metcalf () gmail com> wrote:I can't really see a valid use case here as the ftpbounce keyword is used in all of like one rule but..... Regards, Will #test 128 ftpbounce byte_test + relative #fails # #file ftpbounceattack.pcap alert tcp any any -> any any (msg:"ftpbounce + byte_test + relative"; content:"P"; byte_test:1,=,82,1,relative; ftpbounce; classtype:bad-unknown; sid:128; rev:1;) #test 129 byte_test + relative #works # #file ftpbounceattack.pcap alert tcp any any -> any any (msg:"ftpbounce + byte_test + relative"; content:"P"; byte_test:1,=,82,1,relative; classtype:bad-unknown; sid:129; rev:1;)------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
Current thread:
- just something to note about ftpbounce keyword. Will Metcalf (Mar 17)
- Re: just something to note about ftpbounce keyword. Will Metcalf (Mar 17)
- Re: just something to note about ftpbounce keyword. Steven Sturges (Mar 18)
- Re: just something to note about ftpbounce keyword. Will Metcalf (Mar 18)
- Re: just something to note about ftpbounce keyword. Nigel Houghton (Mar 18)
- Re: just something to note about ftpbounce keyword. Steven Sturges (Mar 18)
- Re: just something to note about ftpbounce keyword. Will Metcalf (Mar 17)