Rules to block FT

["Atkins, Dwane P" <ATKINSD () uthscsa edu>]

I have a testbed set up and have already alerted and blocked via
snortsam for SSH.  I am now working on FTP.

 

My rule:

 

alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (   msg:"BLOCKED Potential
FTP Brute-Force attempt";flow:from_server,established; content:"530 ";
pcre:"/^530\s+(Login|User|Failed)/smi";classtype:unsuccessful-user;
threshold: type threshold, track by_dst, count 10, seconds 60;
sid:1000002; rev:1; fwsam: src, 5 minutes;)

 

Does this look like it will work? I am not that adept about building
rules and am learning.  This was from bleeding edge, I think.

 

Dwane

 

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users