Snort mailing list archives

Re: Simple FTP login request rule - just not so simple to me!


From: Matt Kettler <mkettler () evi-inc com>
Date: Thu, 01 Apr 2004 18:51:44 -0500

At 03:41 PM 4/1/2004, JPP wrote:
Anyone have a rule to capture and alert on FTP login requests ONLY?
The rules we currently have capture either all FTP's inbound and generate a lot of entries at times, and the standard rules in ftp.rules which to this point have generated none.

A rule I have tried (in several variations) goes something like:
alert tcp any any -> $HOME_NET 21 (msg:"FTP Password/Login attempt" \
   flow:to_server,established; content:"Password"; nocase;)

I fooled around with the wording,
added content:"USER"; nocase;
and/or
added content:"ogin"; nocase;
and still not a single hit when I log onto a server. I SEE Password: when I log in manually so obviously something in my logic or my general understanding of rules is lacking.
Any wise rule writers out there that can assist would be greatly appreciated!

Your head is turned around looking backwards... :)

All those strings don't go to the server... they come _from_ the server and go to the client.. so of course your rule isn't firing..

Re-write your rule's sense of direction using something like this instead:

alert tcp $HOME_NET 21  -> any any  (msg:"FTP Password/Login prompt outbound" \
flow:from_server,established; content:"Password"; nocase;)


-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


Current thread: