Snort mailing list archives
Re: Rules to block FT
From: Frank Knobbe <frank () knobbe us>
Date: Tue, 24 Jul 2007 19:12:45 -0500
On Thu, 2007-06-28 at 13:27 -0500, Atkins, Dwane P wrote:
They seem to both work.
Not so quick :)
I think what Dwane is looking for is ftp brute force attempts against his own ftp servers, so this should do it: alert tcp $HOME_NET 21 -> $EXTERNAL_NET any
Make sure you are blocking DST in this rule, not SRC, if you want to block EXTERNAL_NET. In your old rule:
alert tcp $HOME_NET any -> $EXTERNAL_NET 21 ( msg:"BLOCKEDPotentialFTP Brute-Force attempt";flow:from_server,established; content:"530 "; pcre:"/^530\s+(Login|User|Failed)/smi";classtype:unsuccessful-user; threshold: type threshold, track by_dst, count 10, seconds 60; sid:1000002; rev:1; fwsam: src, 5 minutes;)
You had SRC listed, which is correct for HOME_NET (since it is a client in this rule, and I assume you wanted to block your rogue client PC on the inside ;) Remember that SRC blocks the host LEFT of -> and DST blocks the host to the RIGHT of -> Cheers, Frank -- It is said that the Internet is a public utility. As such, it is best compared to a sewer. A big, fat pipe with a bunch of crap sloshing against your ports.
Attachment:
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Rules to block FT Frank Knobbe (Jul 24)