Snort mailing list archives
can I write rules to detect certain ftp downloads?
From: Jason Haar <Jason.Haar () trimble co nz>
Date: Thu, 24 Apr 2008 11:20:32 +1200
Hi there I have a requirement to be able to whitelist (ie. "pass" rule) certain FTP transactions. This is easy to do with nice protocols like HTTP - but the dual-channel nature of FTP makes this hard for me at least. Can I write a rule that would allow me to say "doing a GET on a file containing 'XXX' on port 21 means any future traffic you then see between these two IP addresses is OK"? I guess I'm asking if a combination of "pass" rules and enabling "data_chan" on the ftptelnet preprocessor will do the trick? Thanks! -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don't miss this year's exciting event. There's still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- can I write rules to detect certain ftp downloads? Jason Haar (Apr 23)