Snort mailing list archives
Re: How to capture FTP session info?
From: "Jim Forster" <jforster () rapidnet com>
Date: Tue, 3 Jul 2001 13:18:51 -0600
There are currently two ways I know of to do this... neither of which are great. :) #1 - This will log the entire session going into the FTP server.... (gets huge) alert tcp any any -> any 21 (msg:"FTP Session"; session:printable;) #2 - This one logs username, password. Depending on the network traffic, it's usually in the correct order in the logs. alert tcp any any -> any 21 (msg:"FTP Username"; content:"USER"; flags:A+;) alert tcp any any -> any 21 (msg:"FTP Password"; content:"PASS"; flags:A+;) Hope that helps... ----- Original Message ----- From: "Mohamed LRHAZI" <mohamed () lrhazi com> To: <snort-users () lists sourceforge net> Sent: Tuesday, July 03, 2001 11:52 AM Subject: [Snort-users] How to capture FTP session info?
Hello all, Can somebody please tell me how to write a filter to capture : FTP sessions, the username, the password and the files transfered in both
directions?
I guess it is possible, isnt it ? Thank you very much. Mohamed~ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- How to capture FTP session info? Mohamed LRHAZI (Jul 03)
- Re: How to capture FTP session info? Ralf Hildebrandt (Jul 03)
- Re: How to capture FTP session info? Jim Forster (Jul 03)
- Re: How to capture FTP session info? Blake Frantz (Jul 03)
- Re: How to capture FTP session info? Mohamed LRHAZI (Jul 03)