--On Monday, December 10, 2007 09:53:43 -0800 Rachmat Hidayat Al Anshar
<rachmat_hidayat_03@yahoo.com> wrote:
Maybe we can simplify this to only concern with this following parts:
flow:established,to_server;
IOW, we have already seen a SYN from the client and an ACK from the server
and a session has been established between the two.
content:"GET"; nocase;
IOW, If there's a "GET" (case insensitive), in the packet, then we have a
match and can continue to analyze it.
content:"FTP|3A|//"; nocase;
IOW, if there's an FTP:// in the packet, then we have a second match and
can continue to analyze the packet.
If either of the content matches fail, then the pcre is never processed.
pcre:"/ftp\x3A\x2F\x2F[\w\x2E\x2F]+[^\x2F]\x3Btype=D/i";
IOW, since we've already verified that there's a GET followed by an FTP://,
*if* this pattern also matches, then we need to trigger an alert for it.
The pattern? ftp:// followed by an alpha-numeric character or a period or
a forward slash *and* a string that begins with a forward slash followed by
a semi-colon followed by type=D, with the entire pattern being case
insentive.
So ftp://./;Type=D would match as would ftp://a/;TYPE=d as would
ftp:////type=d.
Why *that* should trigger an alert regarding a FTP DoS on Squid is an
exercise left to the reader.
BTW, *all* of the information above is available in the snort docs.
--
Paul Schmehl (pauls@utdallas.edu)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/
-------------------------------------------------------------------------
SF.Net email is sponsored by:
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
