February 2nd, 2005, 13:41

I ran a nessus scan on my host pc and got the report back, but im not sure where to find the content i need to write my rule. I have read the Snort rule manual, but i dont know where to find the info i need for the content part

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CEL overflow attempt";flow:to_server,established; content:"CEL "; nocase; content:!"|0a|"; within:100; reference:bugtraq,679; reference:cve,CVE-1999-0789; reference:arachnids,257; classtype:attempted-admin; sid:337; rev:5;)

where could i find were its says "CEL " and |0a|. ( i know my content might be diff).

what would i write for this one:

The remote host is running a version of ProFTPd which seems
to be vulnerable to a buffer overflow when a user downloads
a malformed ASCII file.

An attacker with upload privileges on this host may abuse this
flaw to gain a root shell on this host.

*** The author of ProFTPD did not increase the version number
*** of his product when fixing this issue, so it might be false
*** positive.

Solution : Upgrade to ProFTPD 1.2.9 when available or to 1.2.8p
Risk Factor : High
BID : 8679
Nessus ID : 11849

Also how would i know if the latest snort rules for my version cover a specific vulnerablity or expliot?

any help would be very helpful

thanks csi

February 2nd, 2005, 14:38
Im not familiar with the exploit in question enough to write a signature on the fly, but I found one as part of a GCIH practical paper that looks like will work for you.

alert any any -> a.b.c.d/24 20 (flags: AP; content: "STOR.proft_put_down-"; msg: "proft_put_down exploit";)

The link to his practical is here:

February 2nd, 2005, 15:52
Where do you find any kind of info, to be able to write a sig for. Like Nessus just tells me the port and protocol, but i need more info to be able to just detect just that vulnerability.

See im doing a project for school were i have to write different rules every week for the honeynet. I read that snort manual, but it doesnt tell me where i can find info on these vulnerabilities to add to my rule.

February 2nd, 2005, 16:00
If there isnt any signatures written already, you will have to analyze the packets your self and look for content in it to match on. With some attacks this is quite easy, others can be a pain in the butt. Your best bet is to grab the exploit off the net, and run it against a box in your test lab running ProFTPD, or whatever service you are checking for. It will require strong knowledge of tcp/ip, ip, icmp, etc to do even the basic signatures, and being familiar with a good sniffer like tcpdump and/or ethereal will help as well.

February 3rd, 2005, 12:46
I have captured the packets. How would i go about finding which packet goes with which vulnerability. Is there anyother way, other then hacking myself. I cant really do that cause the system i have to write the rules for, is another teams and its on a network.

Would it make a difference that I didnt capture the packets to teh same system Im writing my rules for. Shouldnt the scan come up with the same results?