Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-sigs] SID 2417

from [Paul Schmehl] Network Security [Permanent Link]
Subject: [Snort-sigs] SID 2417
Date: Fri, 20 Aug 2004 11:32:48 -0500
Can someone explain exactly what this rule is supposed to detect? I'm not referring to the packet itself, but to the attack methodology. I can see that it looks for a string of characters with percent signs interspersed, which is obviously encoding, and it certainly does that, but what exactly is the nature of the attack that's it's detecting?

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP format string attempt"; flow:to_server,established; content:"%"; pcre:"/\s+.*?%.*?%/smi"; classtype:string-detect; sid:2417; rev:1;)

Here's one packet:

50 41 53 56 0D 0A 52 45 54 52 20 2F 68 6F 6D 65   PASV..RETR /home
2F 30 30 31 2F 6C 2F 6C 78 2F 6C 78 6F 30 31 35   /001/l/lx/lxo015
30 30 30 2F 70 75 62 6C 69 63 5F 68 74 6D 6C 2F   000/public_html/
50 68 6F 74 6F 2F 4D 75 6E 6B 61 68 65 6C 79 2F   Photo/Munkahely/
65 62 65 64 5F 73 7A 75 6E 65 74 5F 6B 2E 6A 70   ebed_szunet_k.jp
67 0D 0A 33 61 25 32 66 25 32 66 62 61 79 39 25   g..3a%2f%2fbay9%
32 65 6F 65 25 32 65 68 6F 74 6D 61 69 6C 25 32   2eoe%2ehotmail%2
65 63 6F 6D 25 32 66 63 67 69 25 32 64 62 69 6E   ecom%2fcgi%2dbin
25 32 66 68 6D 64 61 74 61 25 32 66 64 61 6F 6F   %2fhmdata%2fdaoo
64 25 34 30 68 6F 74 6D 61 69 6C 25 32 65 63 6F   d%40hotmail%2eco
6D 25 33 66 26 6C                                 m%3f&l

Paul Schmehl (pauls@utdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/


-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Snort-sigs] New adobe vulnerability, nnposter
Next by Date:  Re: [Snort-sigs] New adobe vulnerability, Frank Knobbe
Previous by Thread:  [Snort-sigs] BleedingSnort rules hits information, Federico Petronio
Next by Thread:  Re: [Snort-sigs] SID 2417, Nigel Houghton
Indexes:  [Date] [Thread] [Top] [All Lists]