how can you ignore all ports used in a single FTP session?

[Jason Haar <Jason.Haar () trimble co nz>]

Hi there

[I've asked this before with no response
(C54CF084.8AA10000.reformail () crom trimble co nz), better luck this time ;-)]

I'm wanting to whitelist (pass) FTP sessions initiated by a particular
internal host, but cannot figure out a combination of rules that
achieves it. Making a "pass tcp ip.address any -> any 21" is easy - but
it doesn't take into account the DATA session - which may or may not be
PASSIVE.

I don't think flowbits will help, as setting that on the above rule
wouldn't suddenly make snort assume other TCP sessions are related, and
the ftp preprocessor doesn't seem to contain anything of use there either.

Any ideas? Snort-2.8.3.1

Thanks

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1


------------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It is the best place to buy or sell services for
just about anything Open Source.
http://p.sf.net/sfu/Xq1LFB
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users