Bug #285: FN on suricata 103/11beta2 - ftp format string - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #285

closed

FN on suricata 103/11beta2 - ftp format string

Added by rmkml rmkml over 13 years ago. Updated over 13 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Victor Julien

Target version:

1.1beta3

Affected Versions:

Effort:

Difficulty:

Label:

Description

Hi,
First, Great Congratulations for new Suricata 1.0.3/1.1beta2 release!
Second, I have a small pb with joigned pcap file.
ok first (poor/very simplified) sig working:
alert tcp any any -> any 21 (msg:"FTP format string in ftp cmd attempt"; flow:to_server,established;
content:"%"; depth:4; offset:0; classtype:misc-activity; sid:945011; rev:1;)
ok second (poor/very simplified) sig NOT working (but work with snort):
alert tcp any any -> any 21 (msg:"FTP format string in ftp cmd attempt"; flow:to_server,established;
content:"%"; depth:4; offset:0; content:"%"; within:2; distance:1; classtype:misc-activity; sid:945012; rev:1;)
stream:
checksum_validation: no # or yes have same pb for me
Thx you again for your time for checking my test.
If you confirm, Im open a new ticket on suricata redmine.
Regards
Rmkml

Files

exploit_ftp_formatstringmetasploit_suricataFN2.pcap (1.79 KB) exploit_ftp_formatstringmetasploit_suricataFN2.pcap

rmkml rmkml, 04/23/2011 04:18 PM

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Bug #285

FN on suricata 103/11beta2 - ftp format string

Updated by Victor Julien over 13 years ago