Snort mailing list archives
Rules to block FT
From: "Atkins, Dwane P" <ATKINSD () uthscsa edu>
Date: Wed, 27 Jun 2007 10:18:54 -0500
I have a testbed set up and have already alerted and blocked via snortsam for SSH. I am now working on FTP. My rule: alert tcp $HOME_NET any -> $EXTERNAL_NET 21 ( msg:"BLOCKED Potential FTP Brute-Force attempt";flow:from_server,established; content:"530 "; pcre:"/^530\s+(Login|User|Failed)/smi";classtype:unsuccessful-user; threshold: type threshold, track by_dst, count 10, seconds 60; sid:1000002; rev:1; fwsam: src, 5 minutes;) Does this look like it will work? I am not that adept about building rules and am learning. This was from bleeding edge, I think. Dwane
------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Rules to block FT Atkins, Dwane P (Jun 27)
- Re: Rules to block FT Joel Ebrahimi (Jun 28)
- Re: Rules to block FT Valter Santos (Jun 28)
- Re: Rules to block FT Atkins, Dwane P (Jun 28)
- Re: Rules to block FT Valter Santos (Jun 28)
- Re: Rules to block FT Joel Ebrahimi (Jun 28)