RE : Snort Rule and FTP server

[rmkml <rmkml () yahoo fr>]

Hi Quocviet,

Could you check without checksum please? (-k none)

Regards
@Rmkml



-------- Message d'origine --------
De : quocviet nguyen <nguyenquocviet.2010 () gmail com> 
Date :  
A : snort-users () lists sourceforge net 
Objet : [Snort-users] Snort Rule and FTP server 
 
hi all,

I have installed Snort Version 2.9.4.6 GRE (Build 73) on Centos 5.5 , and then I write simple rule:

alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"ET SCAN Potential FTP Brute-Force attempt"; 
flow:from_server,established;  content:"530 ";  pcre:"/530\s+(Login|User|Failed|Not)/smi"; sid:1000003; rev:10;)

This rule detects user login not success into FTP server, but Snort cannot detect string "530 Login incorrect" in 
playload respone server, althought I use wireshark capture packet , I see Server have responed above string.

Could you given any recommend in this situasion?

thanks.


-- 
viet

------------------------------------------------------------------------------
Android is increasing in popularity, but the open development platform that
developers love is also attractive to malware creators. Download this white
paper to learn more about secure code signing practices that can help keep
Android apps secure.
http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!