You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Detect FTP injection - step 2<br />
Rule 2<br />
Detect 227 response and see if PASV was seen before<br />
a l e r t tcp any 21 −> any any \<br />
(msg : "FTP u n s o l i c i t e d 227 , p o s s i b l e i n j e c t i o n " ; \<br />
flow : t o _ c l i e n t ; content : " 227 " ; depth : 3 ; \<br />
f l o w b i t s : i s n o t s e t , f t p . pasv_seen ; \<br />
f l o w b i t s : set , f t p . p o s s i b l e _ i n j e c t i o n ; n o a l e r t ; \<br />
classtype : protocol −command−decode ; s i d : 2 ; rev : 1 ; )<br />
We could already alert here, but taking it one step further<br />
Éric Leblond, Victor Julien (OISF) <strong>The</strong> <strong>menace</strong> <strong>came</strong> <strong>from</strong> <strong>below</strong> <strong>Hack</strong>.<strong>lu</strong> 2012 42 / 66