[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-sigs
Subject: Re: [Snort-sigs] bad rule in ftp.rules? (1.8 cvs)
From: Chris Green <cmg () uab ! edu>
Date: 2001-07-10 4:33:13
[Download RAW message or body]
Erik Fichtner <emf@servervault.com> writes:
> On Mon, Jul 09, 2001 at 11:15:03PM -0500, Chris Green wrote:
> > > alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP passwd retreval attempt"; \
> > > content:"RETR"; content:"passwd"; flags: A+; reference:arachnids,213; \
> > > classtype:bad-unknown; sid:356;)
> > > have a nocase; in it?
> >
> > Why? I think its to catch people ftping the passwd file which wont'
> > work if its in upper case. :)
>
> What about the RETR though?
Oh I'm blind - sorry. 15 hour days at work do that to me. I should
know better than to not answer email I didn't realize RETR was a part
of the rule. I'm the blind bat tonight :)
--
Chris Green <cmg@uab.edu>
Fame may be fleeting but obscurity is forever.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic