[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-sigs
Subject:    Re: [Snort-sigs] bad rule in ftp.rules? (1.8 cvs)
From:       Chris Green <cmg () uab ! edu>
Date:       2001-07-10 4:33:13
[Download RAW message or body]


Erik Fichtner <emf@servervault.com> writes:

> On Mon, Jul 09, 2001 at 11:15:03PM -0500, Chris Green wrote:
> > > alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP passwd retreval attempt"; \
> > > content:"RETR"; content:"passwd"; flags: A+; reference:arachnids,213; \
> > > classtype:bad-unknown; sid:356;) 
> > > have a nocase; in it?
> > 
> > Why?  I think its to catch people ftping the passwd file which wont'
> > work if its in upper case. :)
> 
> What about the RETR though?

Oh I'm blind - sorry. 15 hour days at work do that to me. I should
know better than to not answer email  I didn't realize RETR was a part
of the rule.  I'm the blind bat tonight :)
-- 
Chris Green <cmg@uab.edu>
Fame may be fleeting but obscurity is forever.


[prev in list] [next in list] [prev in thread] [next in thread]