Snort mailing list archives
RE: Simple FTP Login Request rule.........................
From: JPP <jpp () frws com>
Date: Thu, 01 Apr 2004 22:11:38 -0700
>Matt Kettler wrote: > >>At 03:41 PM 4/1/2004, JPP wrote:> >> >>Anyone have a rule to capture and alert on FTP login requests ONLY?>>The rules we currently have capture either all FTP's inbound and >>generate a lot of entries at times, and the standard rules in >ftp.rules >which to this point have generated none.
>> >>A rule I have tried (in several variations) goes something like: >>alert tcp any any -> $HOME_NET 21 (msg:"FTP Password/Login attempt" \ >> flow:to_server,established; content:"Password"; nocase;) >> >>I fooled around with the wording, >>added content:"USER"; nocase; >>and/or >>added content:"ogin"; nocase;>>and still not a single hit when I log onto a server. I SEE Password: >>when I log in manually so obviously something in my logic or my >>general >understanding of rules is lacking. >>>Any wise rule writers out there that can assist would be greatly >>>appreciated!
> > >Your head is turned around looking backwards... [:)] >>All those strings don't go to the server... they come _from_ the server >and go to the client.. so of course your rule isn't firing..
>>Re-write your rule's sense of direction using something like this >instead:
>>alert tcp $HOME_NET 21 -> any any (msg:"FTP Password/Login prompt >outbound" \
> flow:from_server,established; content:"Password"; nocase;) > Thanks MattFinal rule that works for both SSH and FTP (and presumably for POP and the like) is:
alert tcp $HOME_NET 20:21 -> any any (msg:"FTP Password/Login prompt outbound" flow:from_server; content:"Password"; nocase;) (format to fit your screen!) Thanks again. *adds that to library of never ending knowledge* JPP ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Simple FTP Login Request rule......................... JPP (Apr 01)