Re: Mainframe FTP Failed Logins

["evilghost () packetmail net" <evilghost () packetmail net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

paul stark wrote:
> The issue appears to occur because for some reason snort does not see
> the 530 failed login code that is returned. The 220 status codes also
> do not appear to be detected.

Hi Paul, looking at the dump traffic you provided I only see the egress client communication with the FTPd, I don't see 
any ingress from the FTPd itself, hence no 220 banner,
status codes, etc.  Does /root/debug.pcap contain bi-directional traffic?

That ET sig with the PCRE, we may be able to write a better (performance/detection) rule for your environment if you're 
targeting a specific FTPd product/version...

- -evilghost
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQIcBAEBAgAGBQJL6u2MAAoJENgimYXu6xOHnpUP/3gZ7LA/5plp+DUkI9hrL8V6
d4uTVuGhk7PfyIe8497oiyQnMLIRSm+kQD8k3Tar2nWTfRwif9glRauxraZMJRS0
/V8A7jRgz1xpUOKH2b+TnlIwwDbi4sY0WZbxJzDwVJF92aPwIw8KRH8DY+2VhwaD
DSIsJETGlFbHLTHZreoekgg+ds2JPrUvYzM70BJqknnwkgVPtty5bMIhMOl8SjVd
TGhqXrx5zPnhrss7j18EHa0QrDGy/dEuYkXjc+VTvIuk/bp5fJamPCYRJN59XbLa
dI2uAWZ9ubtL6VUh1L0S/45C8GXZiugiyuiLjUn4RW2p88oviHrEmHKc3WV574dJ
xI2ajTv2CSqcn78AtM1Go8EIrzpygcy2J2sJNeGQHh0ZeX/M1GspNa+AIl1STr6q
yhQMTJvowwYb5aPif/zE1byV+YSfnOLw1IVHo7kRM0H0uwFD+4rmJq7CntLrosPL
wIzsfh/tf+oXHdZmBGcDs8dbJN3Rn7ldnaNlM2cYu7V4MvB47QYUbBJgyM6gwfKi
hddSsQnTMP6EGJh70sDOPBh6Nv9NTjcJT3K3hLT1fo+7RdNIJsyuqwg7UcYecmmy
A2w+FcBFWY5AeQ6D/kqJqjhzHeE0DLq6UqQ/1K/yMyh3SRrV+xjL4ZMl9abDZtUC
drjelLmw0+O2Gd+RMAgz
=PH3c
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs