False positives with SID 1337 and SID 1378

[Jon <warchild () spoofed org>]

I've found a number of false positives with the SIDs mentioned above.

Actually, they aren't really false positives because I don't see why the
rules are getting triggered. 

1377 looks for ~ and [ with at least 1 byte between the two (thats what the
distance modifier claims to do).

1378 looks for ~ and { with at least 1 byte between the two.

Here are two strings that triggered these rules:

1377
RETR /home/user/homework/hw4/problem1/1-5/BankAccount.java~..

1378
RETR /home/user/homework/hw4/problem1/1-6&1-7/SavingAccount.java~..

Both of these strings contain ~, but neither contain the [ or the {.

So, why are they triggering?  There is almost certainly a [ and a { in this
ftp transfer, but probably long after the RETR command is executed and
certainly after this packet has passed.  Does 'distance' search forever?

I have stream4_reassemble in its default state and follow SNORT_1_9 in CVS.

The other question is...  All of the attacks that I saw back when this
particular bug was being actively exploited did something like 'CWD ~{'.
But, it looks like the only requirement is that the glob end in a { or [,
so the glob could be arbitrarily large.  Was that the thinking behind:

   content:"~"; content:"{"; within:1;

vs.

   conntent:"~{";   ?

With that in mind, the rule in its current form would *not* catch 'CWD
~{....', right?

Any help or insight would be appreciated.

Thanks,

-jon 


-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users