can I write rules to detect certain ftp downloads?

[Jason Haar <Jason.Haar () trimble co nz>]

Hi there

I have a requirement to be able to whitelist (ie. "pass" rule) certain 
FTP transactions. This is easy to do with nice protocols like HTTP - but 
the  dual-channel nature of FTP makes this hard for me at least.

Can I write a rule that would allow me to say "doing a GET on a file 
containing 'XXX' on port 21 means any future traffic you then see 
between these two IP addresses is OK"? I guess I'm asking if a 
combination of "pass" rules and enabling "data_chan" on the ftptelnet 
preprocessor will do the trick?

Thanks!

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1


-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don't miss this year's exciting event. There's still time to save $100. 
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users