Snort mailing list archives
Re: ftp .rules
From: Jeremy Hoel <jthoel () gmail com>
Date: Sat, 27 Oct 2012 16:08:29 +0000
Please send these questions to the list. There are smart people on there that can normally better explain the rules better then I can.
From what I can tell, its traffic coming from an external_net ip to a
home_net one in on tcp port 21 and the packet contain MDTM around 100 bytes in. If you look at the cve it will explain what software is vulnerable and if you don't run that software then you can disable this rule. On Oct 27, 2012 5:17 AM, "Akinwale Fasuru" <fashman2k1 () yahoo com> wrote:
Can you give me the explanation of what this ftp.rule does alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP MDTM overflow attempt"; flow:to_server,established; content:"MDTM"; nocase; isdataat:100, relative; pcre:"/^MDTM(?!\n)\s[^\n]{100}/smi"; metadata:service ftp; reference:bugtraq,9751; reference:cve,2001-1021; reference:cve,2004-0330; reference: nessus,12080; classtype:attempted-admin; sid:2546; rev:12;) Thanks
------------------------------------------------------------------------------ WINDOWS 8 is here. Millions of people. Your app in 30 days. Visit The Windows 8 Center at Sourceforge for all your go to resources. http://windows8center.sourceforge.net/ join-generation-app-and-make-money-coding-fast/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: ftp .rules Jeremy Hoel (Oct 27)
- Re: ftp .rules Eric G (Oct 27)