Snort mailing list archives

Re: How to capture FTP session info?

From: Ralf Hildebrandt <Ralf.Hildebrandt () innominate com>
Date: Tue, 3 Jul 2001 20:41:42 +0200

On Tue, Jul 03, 2001 at 01:52:13PM -0400, Mohamed LRHAZI wrote:

Can somebody please tell me how to write a filter to capture :
FTP sessions, the username, the password and the files transfered in both directions?


For that you need to scan for the keywords GET, PUT on the FTP command
channel. Don't know exactly how username and password are transferred
(on that same channel, yes, but the keyword!).

Simply modify a FTP rule you already have.


-- 
ralf.hildebrandt () innominate com                            innominate AG
Technical Consultant                   Don't be afraid of what you see -
Diplom-Informatiker                     be afraid of what you don't see!
tel: +49.(0)7000.POSTFIX                        fax: +49.(0)30.308806-77


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

How to capture FTP session info? Mohamed LRHAZI (Jul 03)
- Re: How to capture FTP session info? Ralf Hildebrandt (Jul 03)
- Re: How to capture FTP session info? Jim Forster (Jul 03)
- Re: How to capture FTP session info? Blake Frantz (Jul 03)
  - Re: How to capture FTP session info? Mohamed LRHAZI (Jul 03)