You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Detect FTP injection - port<br />
Rule<br />
Injected 227 contains port to use<br />
Syntax: "227 Entering Passive Mode (192,168,2,2,12,234)"<br />
Port is calculated, 1st port va<strong>lu</strong>e * 256 + 2nd va<strong>lu</strong>e<br />
Because of calculation, pcre is limited use<br />
a l e r t tcp any 21 −> any any \<br />
(msg : "FTP 227 to p r i v i l e g e d p o r t " ; \<br />
flow : t o _ c l i e n t ; content : " 227 " ; depth : 3 ; \<br />
pcre : " / ^ 2 2 7 \ s [ A−z \ s ] + \ ( ( \ d + , ) { 4 } 0 , /m" ; \<br />
pcre : " / ( ? ! 2 [ 0 − 1 ] \ ) ) /R" ; \<br />
classtype : protocol −command−decode ; s i d : 7 ; rev : 1 ; )<br />
Similary we can detect other ports, like MySQL 3306 port<br />
Éric Leblond, Victor Julien (OISF) <strong>The</strong> <strong>menace</strong> <strong>came</strong> <strong>from</strong> <strong>below</strong> <strong>Hack</strong>.<strong>lu</strong> 2012 45 / 66