Re: ftp .rules

[Eric G <eric () nixwizard net>]

On Oct 27, 2012 12:08 PM, "Jeremy Hoel" <jthoel () gmail com> wrote:
> Please send these questions to the list. There are smart people on there
that can normally better explain the rules better then I can.
> From what I can tell, its traffic coming from an external_net ip to a
home_net one in on tcp port 21 and the packet contain MDTM around 100 bytes
in.
> If you look at the cve it will explain what software is vulnerable and if
you don't run that software then you can disable this rule.

Looks like this rule tests for traffic that can take advantage of a
vulnerability in a handul of Serv U FTP versions from back in 2004:

http://www.securityfocus.com/bid/9751

As Jeremy said if you know you're not running an 8 year old version of Serv
U FTP on your network it's likely safe to disable this rule

--
Eric

------------------------------------------------------------------------------
WINDOWS 8 is here. 
Millions of people.  Your app in 30 days.
Visit The Windows 8 Center at Sourceforge for all your go to resources.
http://windows8center.sourceforge.net/
join-generation-app-and-make-money-coding-fast/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!