Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: FTP Snort rule

From: waldo kitty <wkitty42 () windstream net>
Date: Wed, 07 May 2014 12:56:26 -0400
On 5/7/2014 12:31 PM, vijay saravanan wrote:

Hi All,

I am new to snort, Here is the rule written to detect connection request to FTP
server and response from the FTP server.

alert tcp any any <> 192.168.0.147 21 (msg: "FTP access";sid:10000002;rev:1;)

The snort alerts all the connection attempt from external hosts to FTP Server
but it is not producing the alert for response sent by FTP server.

For example :-

I could see the packet captured from 192.168.0.125 to 192.168.0.147:21 for "USER
root"

But the response by the FTP server 192.168.0.147:21 to 192.168.0.125 is not
captured.


are you sure the response goes back out on port 21?

ideally, you should also use content matches to speed the pattern matching... 
one rule for each inbound detection desired and another rule for each outbound 
detection desired... it is not a good idea to try to shortcut things by using a 
one-rule-covers-all type of methodology...

going back to your original rule, if you only want to detect connection 
attempts, you might want to start by detecting the initial syn packet of the 
three-way handshake used in tcp connections... that happens before any type of 
login sequence can be started ;)

-- 
  NOTE: No off-list assistance is given without prior approval.
        Please *keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.

------------------------------------------------------------------------------
Is your legacy SCM system holding you back? Join Perforce May 7 to find out:
&#149; 3 signs your SCM is hindering your productivity
&#149; Requirements for releasing software faster
&#149; Expert tips and advice for migrating your SCM now
http://p.sf.net/sfu/perforce
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: