Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Simple FTP Login Request rule.........................

From: JPP <jpp () frws com>
Date: Thu, 01 Apr 2004 22:11:38 -0700

>Matt Kettler wrote:
>
>>At 03:41 PM 4/1/2004, JPP wrote:>
>>
>>Anyone have a rule to capture and alert on FTP login requests ONLY?>
>The rules we currently have capture either all FTP's inbound and >>generate a lot of entries at times, and the standard rules in >ftp.rules >which to this point have generated none. 
>>
>>A rule I have tried (in several variations) goes something like:
>>alert tcp any any -> $HOME_NET 21 (msg:"FTP Password/Login attempt" \
>>   flow:to_server,established; content:"Password"; nocase;)
>>
>>I fooled around with the wording,
>>added content:"USER"; nocase;
>>and/or
>>added content:"ogin"; nocase;
>>and still not a single hit when I log onto a server. I SEE Password: >>when I log in manually so obviously something in my logic or my >>general >understanding of rules is lacking. >>>Any wise rule writers out there that can assist would be greatly >>>appreciated! 
>
>
>Your head is turned around looking backwards... [:)]
>
>All those strings don't go to the server... they come _from_ the server >and go to the client.. so of course your rule isn't firing.. 
>
>Re-write your rule's sense of direction using something like this >instead: 
>
>alert tcp $HOME_NET 21 -> any any (msg:"FTP Password/Login prompt >outbound" \ 
>   flow:from_server,established; content:"Password"; nocase;)
>

Thanks Matt
Final rule that works for both SSH and FTP (and presumably for POP and the like) is: 

alert tcp $HOME_NET 20:21 -> any any  (msg:"FTP Password/Login prompt
   outbound" flow:from_server; content:"Password"; nocase;)

(format to fit your screen!)

Thanks again. *adds that to library of never ending knowledge*

JPP



-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: