A ^ inside of a Character Class negates the Character Class. So NOT /.
ftp:// and any amount of letters, numbers, or underscores (but there
must be at least one), then NOT followed by another forward slash
followed by a semi-colon then the type=D string. Disregarding case.
For those of you that are interested in pcre, I suggest the "Mastering
Regular Expressions" book from O'Reilly.
--
Joel Esler
joel.esler@sourcefire.com
On Dec 10, 2007, at 1:16 PM, Paul Schmehl wrote:
--On Monday, December 10, 2007 09:53:43 -0800 Rachmat Hidayat Al
Anshar
<rachmat_hidayat_03@yahoo.com> wrote:
Maybe we can simplify this to only concern with this following parts:
flow:established,to_server;
IOW, we have already seen a SYN from the client and an ACK from the
server
and a session has been established between the two.
content:"GET"; nocase;
IOW, If there's a "GET" (case insensitive), in the packet, then we
have a
match and can continue to analyze it.
content:"FTP|3A|//"; nocase;
IOW, if there's an FTP:// in the packet, then we have a second match
and
can continue to analyze the packet.
If either of the content matches fail, then the pcre is never
processed.
pcre:"/ftp\x3A\x2F\x2F[\w\x2E\x2F]+[^\x2F]\x3Btype=D/i";
IOW, since we've already verified that there's a GET followed by an
FTP://,
*if* this pattern also matches, then we need to trigger an alert for
it.
The pattern? ftp:// followed by an alpha-numeric character or a
period or
a forward slash *and* a string that begins with a forward slash
followed by
a semi-colon followed by type=D, with the entire pattern being case
insentive.
So ftp://./;Type=D would match as would ftp://a/;TYPE=d as would
ftp:////type=d.
Why *that* should trigger an alert regarding a FTP DoS on Squid is an
exercise left to the reader.
BTW, *all* of the information above is available in the snort docs.
--
Paul Schmehl (pauls@utdallas.edu)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/
-------------------------------------------------------------------------
SF.Net email is sponsored by:
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
-------------------------------------------------------------------------
SF.Net email is sponsored by:
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
