Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ftp rules

From: "Al Lewis (allewi)" <allewi () cisco com>
Date: Thu, 22 Oct 2015 15:41:07 +0000
For ftp (or any rule) syntax please visit the website here: http://manual.snort.org/node27.html


Here are some (ftp rules) taken from the community rules available on the snort.org website. https://snort.org/downloads


[alewis@provare community-rules]$ cat community.rules | grep ftp | more

# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP ADMw0rm ftp login attempt"; 
flow:to_server,established; content:"USER"; nocase; content:"w0rm"; distance:1; nocase; pcre:"/^USER\s+w0
rm/smi"; metadata:ruleset community, service ftp; classtype:suspicious-login; sid:144; rev:16;)
# alert tcp $EXTERNAL_NET 21 -> $HOME_NET any (msg:"SERVER-OTHER NextFTP client overflow"; flow:to_client,established; 
content:"|B4| |B4|!|8B CC 83 E9 04 8B 19|3|C9|f|B9 10|"; metadata:ruleset commu
nity, service ftp; reference:bugtraq,572; reference:cve,1999-0671; classtype:attempted-user; sid:308; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP .forward"; flow:to_server,established; 
content:".forward"; metadata:ruleset community, service ftp; classtype:suspicious-filename-det
ect; sid:334; rev:12;)


Hope this helps.

Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi () cisco com

From: Adam Ring [mailto:adam.ring () AocSolutions com]
Sent: Thursday, October 22, 2015 8:56 AM
To: snort-sigs () lists sourceforge net
Subject: [Snort-sigs] ftp rules

Hi I am new to snort and was trying to create an ftp rule.  I have downloaded the rules from the website, but in the 
ftp file there aren't any rules in there.  I was wondering if that was supposed to be empty and if it is, is there a 
place where I can go to find some examples of ftp rules?

Adam Ring
IT Help Desk Techniction
Office 703.677.9540

AOC Solutions<http://www.aocsolutions.com/> | Solutions That Pay(r)

Blog<http://www.aocsolutions.com/blog> | Video<http://www.aocsolutions.com/ap-payment-automation-video> | 
LinkedIn<https://www.linkedin.com/company/139025?trk=tyah&trkInfo=clickedVertical%3Acompany%2Cidx%3A1-1-1%2CtarId%3A1436380782168%2Ctas%3Aaoc%20solutions>

[cid:image001.png@01D10CBD.A3034DB0]<http://www.aocsolutions.com/about-aoc/aoc-in-the-news/aoc-named-top-workplace-by-washington-post>







This e-mail and any attachments may contain confidential and privileged

information. If you are not the intended recipient, please notify the sender

immediately by return e-mail, delete this e-mail and attachments (if applicable)

and destroy any copies. Any dissemination or use of this information by a person

other than the intended recipient is unauthorized and strictly prohibited. You

may be subject to confidentiality restrictions in an existing contract with AOC

Solutions, Inc. As a result, you must protect the contents of this communication

according to such terms and conditions.


------------------------------------------------------------------------------

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: