Snort mailing list archives
Re: FTP Snort rule
From: waldo kitty <wkitty42 () windstream net>
Date: Wed, 07 May 2014 12:56:26 -0400
On 5/7/2014 12:31 PM, vijay saravanan wrote:
Hi All, I am new to snort, Here is the rule written to detect connection request to FTP server and response from the FTP server. alert tcp any any <> 192.168.0.147 21 (msg: "FTP access";sid:10000002;rev:1;) The snort alerts all the connection attempt from external hosts to FTP Server but it is not producing the alert for response sent by FTP server. For example :- I could see the packet captured from 192.168.0.125 to 192.168.0.147:21 for "USER root" But the response by the FTP server 192.168.0.147:21 to 192.168.0.125 is not captured.
are you sure the response goes back out on port 21? ideally, you should also use content matches to speed the pattern matching... one rule for each inbound detection desired and another rule for each outbound detection desired... it is not a good idea to try to shortcut things by using a one-rule-covers-all type of methodology... going back to your original rule, if you only want to detect connection attempts, you might want to start by detecting the initial syn packet of the three-way handshake used in tcp connections... that happens before any type of login sequence can be started ;) -- NOTE: No off-list assistance is given without prior approval. Please *keep mailing list traffic on the list* unless private contact is specifically requested and granted. ------------------------------------------------------------------------------ Is your legacy SCM system holding you back? Join Perforce May 7 to find out: • 3 signs your SCM is hindering your productivity • Requirements for releasing software faster • Expert tips and advice for migrating your SCM now http://p.sf.net/sfu/perforce _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- FTP Snort rule vijay saravanan (May 07)
- Re: FTP Snort rule Joel Esler (jesler) (May 07)
- Re: FTP Snort rule vijay saravanan (May 07)
- Re: FTP Snort rule waldo kitty (May 07)
- Re: FTP Snort rule Joel Esler (jesler) (May 07)