Snort mailing list archives
Re: ftp rules
From: "Al Lewis (allewi)" <allewi () cisco com>
Date: Thu, 22 Oct 2015 15:41:07 +0000
For ftp (or any rule) syntax please visit the website here: http://manual.snort.org/node27.html Here are some (ftp rules) taken from the community rules available on the snort.org website. https://snort.org/downloads [alewis@provare community-rules]$ cat community.rules | grep ftp | more # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP ADMw0rm ftp login attempt"; flow:to_server,established; content:"USER"; nocase; content:"w0rm"; distance:1; nocase; pcre:"/^USER\s+w0 rm/smi"; metadata:ruleset community, service ftp; classtype:suspicious-login; sid:144; rev:16;) # alert tcp $EXTERNAL_NET 21 -> $HOME_NET any (msg:"SERVER-OTHER NextFTP client overflow"; flow:to_client,established; content:"|B4| |B4|!|8B CC 83 E9 04 8B 19|3|C9|f|B9 10|"; metadata:ruleset commu nity, service ftp; reference:bugtraq,572; reference:cve,1999-0671; classtype:attempted-user; sid:308; rev:14;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP .forward"; flow:to_server,established; content:".forward"; metadata:ruleset community, service ftp; classtype:suspicious-filename-det ect; sid:334; rev:12;) Hope this helps. Albert Lewis QA Software Engineer SOURCEfire, Inc. now part of Cisco 9780 Patuxent Woods Drive Columbia, MD 21046 Phone: (office) 443.430.7112 Email: allewi () cisco com From: Adam Ring [mailto:adam.ring () AocSolutions com] Sent: Thursday, October 22, 2015 8:56 AM To: snort-sigs () lists sourceforge net Subject: [Snort-sigs] ftp rules Hi I am new to snort and was trying to create an ftp rule. I have downloaded the rules from the website, but in the ftp file there aren't any rules in there. I was wondering if that was supposed to be empty and if it is, is there a place where I can go to find some examples of ftp rules? Adam Ring IT Help Desk Techniction Office 703.677.9540 AOC Solutions<http://www.aocsolutions.com/> | Solutions That Pay(r) Blog<http://www.aocsolutions.com/blog> | Video<http://www.aocsolutions.com/ap-payment-automation-video> | LinkedIn<https://www.linkedin.com/company/139025?trk=tyah&trkInfo=clickedVertical%3Acompany%2Cidx%3A1-1-1%2CtarId%3A1436380782168%2Ctas%3Aaoc%20solutions> [cid:image001.png@01D10CBD.A3034DB0]<http://www.aocsolutions.com/about-aoc/aoc-in-the-news/aoc-named-top-workplace-by-washington-post> This e-mail and any attachments may contain confidential and privileged information. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this e-mail and attachments (if applicable) and destroy any copies. Any dissemination or use of this information by a person other than the intended recipient is unauthorized and strictly prohibited. You may be subject to confidentiality restrictions in an existing contract with AOC Solutions, Inc. As a result, you must protect the contents of this communication according to such terms and conditions.
------------------------------------------------------------------------------
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- ftp rules Adam Ring (Oct 22)
- Re: ftp rules Al Lewis (allewi) (Oct 22)
- Re: ftp rules Joel Esler (jesler) (Oct 22)
- Re: ftp rules Adam Ring (Oct 22)
- Re: ftp rules santhoj san (Oct 22)
- Re: ftp rules Adonis Okpidi (Oct 22)
- Re: ftp rules santhoj san (Oct 22)
- Re: ftp rules Adonis Okpidi (Oct 23)
- Re: ftp rules santhoj san (Oct 23)
- Re: ftp rules Al Lewis (allewi) (Oct 23)
- Re: ftp rules santhoj san (Oct 26)
- Re: ftp rules Al Lewis (allewi) (Oct 26)
- Re: ftp rules Adam Ring (Oct 22)