Re: How to capture FTP session info?

["Jim Forster" <jforster () rapidnet com>]

There are currently two ways I know of to do this...  neither of which are
great.  :)

#1 - This will log the entire session going into the FTP server.... (gets
huge)
alert tcp any any -> any 21 (msg:"FTP Session"; session:printable;)

#2 - This one logs username, password.  Depending on the network traffic,
it's usually in the correct order in the logs.
alert tcp any any -> any 21 (msg:"FTP Username"; content:"USER"; flags:A+;)
alert tcp any any -> any 21 (msg:"FTP Password"; content:"PASS"; flags:A+;)

Hope that helps...

----- Original Message -----
From: "Mohamed LRHAZI" <mohamed () lrhazi com>
To: <snort-users () lists sourceforge net>
Sent: Tuesday, July 03, 2001 11:52 AM
Subject: [Snort-users] How to capture FTP session info?


> Hello all,
>
> Can somebody please tell me how to write a filter to capture :
> FTP sessions, the username, the password and the files transfered in both
directions?
> I guess it is possible, isnt it ?
>
> Thank you very much.
>
> Mohamed~
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users