[Snort-sigs] ftp rules question - why only external to internal?

Jerry.L.Rose at ...1475... Jerry.L.Rose at ...1475...
Fri Apr 25 07:58:12 EDT 2003

I see there are several "bad" sections in the ftp rules ("bad files" section
shown below). My question is why limit these to External network to and from
internal network? Wouldn't it be better to change them to any network to any
network? For example, if an internal user (located on the HOME_NET)
attempted to download a "bad" file from any ftp server I'd like to know
about it. What am I missing here?

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP .forward"; content:
".forward"; flow:to_server,established; reference:arachnids,319;
classtype:suspicious-filename-detect; sid:334;  rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP .rhosts";
flow:to_server,established; content:".rhosts"; reference:arachnids,328;
classtype:suspicious-filename-detect; sid:335;  rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP authorized_keys";
flow:to_server,established; content:"authorized_keys";
classtype:suspicious-filename-detect; sid:1927; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP passwd retreval
attempt"; flow:to_server,established; content:"RETR"; nocase;
content:"passwd"; reference:arachnids,213;
classtype:suspicious-filename-detect; sid:356;  rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP shadow retreval
attempt"; flow:to_server,established; content:"RETR"; nocase;
content:"shadow"; classtype:suspicious-filename-detect; sid:1928; rev:2;)

Jerry Rose
Network Security Administrator
U.S. Army Corps of Engineers
Jacksonville District

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20030425/38788fcc/attachment.html>

More information about the Snort-sigs mailing list