Snort mailing list archives
Re: How to capture FTP session info?
From: Mohamed LRHAZI <mohamed () lrhazi com>
Date: Tue, 3 Jul 2001 16:07:51 -0400
Thank you very much everyone, I knew snort could do it neatly!.... I actually do not need the file contents... I just discovered that a box is serving content to Internet from inside our network without my knowledge.. I am supposed to be responsible for net security here :) I need to find the names of the people who are actualy administering the web server (updating html/php files ..etc).. not quite sure yet.. this might even be a complete outsider living inside :) Thanks again. Mohamed~ nside On Tuesday 03 July 2001 15:28, Blake Frantz wrote:
Hello, I'm assuming you also want the file contents..... You would have to sniff on ports 20 and 21: alert tcp any any <> my.ftp.server 20 (msg: "FTP Data";) alert tcp any any <> my.ftp.server 21 (msg: "FTP Control";) If this is a high volumn server your log files are gonna be huge. With this in mind I'd double check that /var/log/ is a on a seperate partition that / to prevent your root filesystem from running out of space. If you simply want the user and filename of the sent/recieved files your ftp daemon probably has that capability built in. If you running on a linux box, edit your /etc/inetd.conf to read as follows: Change This: ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd To This: ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -L -i -o "-l" logs each FTP session to syslog. "-L" will cause the server to log all USER commands "-i" logs all recieved files to /var/log/xferlog "-o" logs all sent files to /var/log/xferlog This won't log the password. If you want snort to catch the username, password, and filesnames you can do the following: alert tcp any any <> 209.172.184.62 21 (msg: "FTP User Name"; flags: PA; content:"USER ";nocase;) alert tcp any any <> 209.172.184.62 21 (msg: "FTP User Name"; flags: PA; content:"PASS ";nocase;) alert tcp any any <> 209.172.184.62 21 (msg: "FTP User Name"; flags: PA; content:"STORE ";nocase;) alert tcp any any <> 209.172.184.62 21 (msg: "FTP User Name"; flags: PA; content:"RETR ";nocase;) Hope this helps. -Blake ================================================================= The Government, like diapers, should be replaced regularly, and often for the same reasons. On Tue, 3 Jul 2001, Mohamed LRHAZI wrote:Hello all, Can somebody please tell me how to write a filter to capture : FTP sessions, the username, the password and the files transfered in both directions? I guess it is possible, isnt it ? Thank you very much. Mohamed~ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- How to capture FTP session info? Mohamed LRHAZI (Jul 03)
- Re: How to capture FTP session info? Ralf Hildebrandt (Jul 03)
- Re: How to capture FTP session info? Jim Forster (Jul 03)
- Re: How to capture FTP session info? Blake Frantz (Jul 03)
- Re: How to capture FTP session info? Mohamed LRHAZI (Jul 03)