On 0, Paul Schmehl <pauls@utdallas.edu> allegedly wrote:
Can someone explain exactly what this rule is supposed to detect? I'm not
referring to the packet itself, but to the attack methodology. I can see
that it looks for a string of characters with percent signs interspersed,
which is obviously encoding, and it certainly does that, but what exactly
is the nature of the attack that's it's detecting?
Well, the rule is looking for an attempt to send information to an FTP
server in printf format (%foo%foo%foo%foo), this may cause a DoS or could
give an opportunity to execute code.
something like "somethinghere<SPACE>%u%u%u%u" etc...
Windows FTP servers and WuFTP (and some others) have had issues with this.
Sorry the doc is a little vague, I'll update it to be more specific.
+-------------------------------------------------------------------------+
Nigel Houghton Research Engineer Sourcefire Inc.
Vulnerability Research Team
"Dude, dolphins are intelligent and friendly!" - Wendy
"Intelligent and friendly on rye bread, with some mayonaise." - Cartman
+-------------------------------------------------------------------------+
-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
