Snort Rule and FTP server

[quocviet nguyen <nguyenquocviet.2010 () gmail com>]

hi all,

I have installed Snort Version 2.9.4.6 GRE (Build 73) on Centos 5.5 , and
then I write simple rule:

alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"ET SCAN Potential FTP
Brute-Force attempt"; flow:from_server,established;  content:"530 ";
 pcre:"/530\s+(Login|User|Failed|Not)/smi"; sid:1000003; rev:10;)

This rule detects user login not success into FTP server, but Snort cannot
detect string "530 Login incorrect" in playload respone server, althought I
use wireshark capture packet , I see Server have responed above string.

Could you given any recommend in this situasion?

thanks.


-- 
viet

------------------------------------------------------------------------------
Android is increasing in popularity, but the open development platform that
developers love is also attractive to malware creators. Download this white
paper to learn more about secure code signing practices that can help keep
Android apps secure.
http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!