[Snort-devel] Writing own rules

abhijit deodhar abhideodhar at ...2224...
Tue Feb 10 04:36:13 EST 2004


Hello,

I am a novice and was trying to test Snort detecting
my own rule viz.

alert tcp $EXTERNAL_NET any -> $HOME_NET 21
(msg:"XXX";content:"LIST";classtype:attempted-admin;)

to ftp.rules

According to me it should detect a packet with data
content "LIST" in it and also log or display it on
screen with some message XXX.
	However, I find that snort does not detect this
"attack". Can u point out any specific reason for this
discrepancy and tell me how to debug?

Thanks in advance,

Abhijit

________________________________________________________________________
Yahoo! India Education Special: Study in the UK now.
Go to http://in.specials.yahoo.com/index1.html




More information about the Snort-devel mailing list