📄 ftp.rules

📁 This is the snapshot of Snot Latest Rules
💻 RULES
📖 第 1 页 / 共 3 页
字号:
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE EXEC format string attempt"; flow:to_server,established; content:"SITE"; nocase; content:"EXEC"; distance:0; nocase; pcre:"/^SITE\s+EXEC\s[^\n]*?%[^\n]*?%/smi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp; reference:bugtraq,1387; reference:bugtraq,1505; classtype:bad-unknown; sid:1971; rev:8;)alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE overflow attempt"; flow:to_server,established; content:"SITE"; nocase; isdataat:100,relative; pcre:"/^SITE(?!\n)\s[^\n]{100}/smi"; metadata:service ftp; reference:cve,1999-0838; reference:cve,2001-0755; reference:cve,2001-0770; classtype:attempted-admin; sid:1529; rev:12;)alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP USER overflow attempt"; flow:to_server,established; content:"USER"; nocase; isdataat:100,relative; pcre:"/^USER(?!\n)\s[^\n]{100}/smi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp; reference:bugtraq,10078; reference:bugtraq,10720; reference:bugtraq,1227; reference:bugtraq,1504; reference:bugtraq,1690; reference:bugtraq,22044; reference:bugtraq,22045; reference:bugtraq,4638; reference:bugtraq,7307; reference:bugtraq,8376; reference:cve,1999-1510; reference:cve,1999-1514; reference:cve,1999-1519; reference:cve,1999-1539; reference:cve,2000-0479; reference:cve,2000-0656; reference:cve,2000-0761; reference:cve,2000-0943; reference:cve,2000-1035; reference:cve,2000-1194; reference:cve,2001-0256; reference:cve,2001-0794; reference:cve,2001-0826; reference:cve,2002-0126; reference:cve,2002-1522; reference:cve,2003-0271; reference:cve,2004-0286; classtype:attempted-admin; sid:1734; rev:37;)alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP PASS overflow attempt"; flow:to_server,established; content:"PASS"; nocase; isdataat:100,relative; pcre:"/^PASS(?!\n)\s[^\n]{100}/smi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp; reference:bugtraq,10078; reference:bugtraq,10720; reference:bugtraq,1690; reference:bugtraq,22045; reference:bugtraq,3884; reference:bugtraq,8601; reference:bugtraq,9285; reference:cve,1999-1519; reference:cve,1999-1539; reference:cve,2000-1035; reference:cve,2002-0126; reference:cve,2002-0895; classtype:attempted-admin; sid:1972; rev:22;)alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP RMDIR overflow attempt"; flow:to_server,established; content:"RMDIR"; nocase; isdataat:100,relative; pcre:"/^RMDIR(?!\n)\s[^\n]{100}/smi"; metadata:service ftp; reference:bugtraq,819; classtype:attempted-admin; sid:1942; rev:8;)alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP MKD overflow attempt"; flow:to_server,established; content:"MKD"; nocase; isdataat:180,relative; pcre:"/^MKD(?!\n)\s[^\n]{180}/smi"; metadata:service ftp; reference:bugtraq,11772; reference:bugtraq,612; reference:bugtraq,7278; reference:bugtraq,9872; reference:cve,1999-0911; reference:nessus,12108; classtype:attempted-admin; sid:1973; rev:14;)alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP REST overflow attempt"; flow:to_server,established; content:"REST"; nocase; isdataat:100,relative; pcre:"/^REST(?!\n)\s[^\n]{100}/smi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp; reference:bugtraq,2972; reference:cve,2001-0826; reference:nessus,11755; classtype:attempted-admin; sid:1974; rev:11;)# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP DELE overflow attempt"; flow:to_server,established; content:"DELE"; nocase; isdataat:100,relative; pcre:"/^DELE(?!\n)\s[^\n]{100}/smi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp; reference:bugtraq,2972; reference:cve,2001-0826; reference:cve,2001-1021; reference:nessus,11755; classtype:attempted-admin; sid:1975; rev:14;)alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP RMD overflow attempt"; flow:to_server,established; content:"RMD"; nocase; isdataat:100,relative; pcre:"/^RMD(?!\n)\s[^\n]{100}/smi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp; reference:bugtraq,2972; reference:cve,2000-0133; reference:cve,2001-0826; reference:cve,2001-1021; classtype:attempted-admin; sid:1976; rev:13;)alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP invalid MODE"; flow:to_server,established; content:"MODE"; nocase; pcre:"/^MODE\s+[^ABSC]{1}/msi"; metadata:service ftp; reference:url,www.faqs.org/rfcs/rfc959.html; classtype:protocol-command-decode; sid:1623; rev:8;)alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP PWD overflow attempt"; flow:to_server,established; content:"PWD"; nocase; isdataat:190,relative; pcre:"/^PWD\s.{190}/smi"; metadata:service ftp; classtype:protocol-command-decode; sid:1624; rev:13;)alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SYST overflow attempt"; flow:to_server,established; content:"SYST"; nocase; isdataat:100,relative; pcre:"/^SYST(?!\n)\s[^\n]{100}/smi"; metadata:service ftp; reference:url,www.faqs.org/rfcs/rfc959.html; classtype:protocol-command-decode; sid:1625; rev:9;)# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD Root directory transversal attempt"; flow:to_server,established; content:"CWD"; nocase; content:"C|3A 5C|"; distance:1; metadata:service ftp; reference:bugtraq,7674; reference:cve,2003-0392; reference:nessus,11677; classtype:protocol-command-decode; sid:2125; rev:10;)# bad ftp commandsalert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE ZIPCHK overflow attempt"; flow:to_server,established; content:"SITE"; nocase; content:"ZIPCHK"; distance:1; nocase; isdataat:100,relative; pcre:"/^SITE\s+ZIPCHK\s[^\n]{100}/smi"; metadata:service ftp; reference:cve,2000-0040; classtype:attempted-admin; sid:1921; rev:6;)# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE NEWER attempt"; flow:to_server,established; content:"SITE"; nocase; content:"NEWER"; distance:1; nocase; pcre:"/^SITE\s+NEWER/smi"; metadata:service ftp; reference:cve,1999-0880; reference:nessus,10319; classtype:attempted-dos; sid:1864; rev:9;)# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE EXEC attempt"; flow:to_server,established; content:"SITE"; nocase; content:"EXEC"; distance:0; nocase; pcre:"/^SITE\s+EXEC/smi"; metadata:service ftp; reference:arachnids,317; reference:bugtraq,2241; reference:cve,1999-0080; reference:cve,1999-0955; classtype:bad-unknown; sid:361; rev:17;)alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT STAT * dos attempt"; flow:to_server,established; content:"STAT"; nocase; pcre:"/^STAT\s+[^\n]*\x2a/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp; reference:bugtraq,4482; reference:cve,2002-0073; reference:nessus,10934; reference:url,www.microsoft.com/technet/security/bulletin/MS02-018.mspx; classtype:attempted-dos; sid:1777; rev:11;)alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT STAT ? dos attempt"; flow:to_server,established; content:"STAT"; nocase; pcre:"/^STAT\s+[^\n]*\x3f/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp; reference:bugtraq,4482; reference:cve,2002-0073; reference:nessus,10934; reference:url,www.microsoft.com/technet/security/bulletin/MS02-018.mspx; classtype:attempted-dos; sid:1778; rev:11;)alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP tar parameters"; flow:to_server,established; content:" --use-compress-program "; nocase; metadata:service ftp; reference:arachnids,134; reference:bugtraq,2240; reference:cve,1999-0202; reference:cve,1999-0997; classtype:bad-unknown; sid:362; rev:13;)# bad directoriesalert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD ~root attempt"; flow:to_server,established; content:"CWD"; nocase; content:"~root"; distance:1; nocase; pcre:"/^CWD\s+~root/smi"; metadata:service ftp; reference:arachnids,318; reference:cve,1999-0082; classtype:bad-unknown; sid:336; rev:11;)alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD ..."; flow:to_server,established; content:"CWD"; nocase; content:"..."; distance:0; pcre:"/^CWD\s[^\n]*?\.\.\./smi"; metadata:service ftp; reference:bugtraq,9237; classtype:bad-unknown; sid:1229; rev:8;)alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD ~ attempt"; flow:to_server,established; content:"CWD"; nocase; pcre:"/^CWD\s+~/smi"; metadata:service ftp; reference:bugtraq,2601; reference:bugtraq,9215; reference:cve,2001-0421; classtype:denial-of-service; sid:1672; rev:12;)# vulnerabilities against specific implementations of ftpalert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP serv-u directory transversal"; flow:to_server,established; content:".%20."; nocase; metadata:service ftp; reference:bugtraq,2052; reference:cve,2001-0054; reference:nessus,10565; classtype:bad-unknown; sid:360; rev:9;)alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP wu-ftp bad file completion attempt ["; flow:to_server,established; content:"~"; content:"["; distance:0; metadata:service ftp; reference:bugtraq,3581; reference:bugtraq,3707; reference:cve,2001-0550; reference:cve,2001-0886; reference:nessus,10821; classtype:misc-attack; sid:1377; rev:17;)# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP wu-ftp bad file completion attempt {"; flow:to_server,established; content:"~"; content:"{"; distance:0; metadata:service ftp; reference:bugtraq,3581; reference:bugtraq,3707; reference:cve,2001-0550; reference:cve,2001-0886; reference:nessus,10821; classtype:misc-attack; sid:1378; rev:18;)alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP RNFR ././ attempt"; flow:to_server,established; content:"RNFR "; nocase; content:" ././"; nocase; metadata:service ftp; reference:cve,1999-0081; classtype:misc-attack; sid:1622; rev:7;)alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP LIST directory traversal attempt"; flow:to_server,established; content:"LIST"; nocase; content:".."; distance:1; content:".."; distance:1; metadata:service ftp; reference:bugtraq,2618; reference:cve,2001-0680; reference:cve,2002-1054; reference:nessus,11112; classtype:protocol-command-decode; sid:1992; rev:9;)# BAD FILESalert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP .forward"; flow:to_server,established; content:".forward"; metadata:service ftp; reference:arachnids,319; classtype:suspicious-filename-detect; sid:334; rev:6;)
💿 文件大小 17049 K
👤 上传用户 nassdaq
📂 所属分类其他行业
🏷️ 相关标签

#snapshot #Latest #Rules #This
⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -