Snort mailing list archives
how can you ignore all ports used in a single FTP session?
From: Jason Haar <Jason.Haar () trimble co nz>
Date: Thu, 08 Jan 2009 09:51:43 +1300
Hi there [I've asked this before with no response (C54CF084.8AA10000.reformail () crom trimble co nz), better luck this time ;-)] I'm wanting to whitelist (pass) FTP sessions initiated by a particular internal host, but cannot figure out a combination of rules that achieves it. Making a "pass tcp ip.address any -> any 21" is easy - but it doesn't take into account the DATA session - which may or may not be PASSIVE. I don't think flowbits will help, as setting that on the above rule wouldn't suddenly make snort assume other TCP sessions are related, and the ftp preprocessor doesn't seem to contain anything of use there either. Any ideas? Snort-2.8.3.1 Thanks -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------------------------------ Check out the new SourceForge.net Marketplace. It is the best place to buy or sell services for just about anything Open Source. http://p.sf.net/sfu/Xq1LFB _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- how can you ignore all ports used in a single FTP session? Jason Haar (Jan 07)