[Snort-sigs] ftp rules question - why only external to intern al?

L. Christopher Luther CLuther at ...1474...
Fri Apr 25 08:44:09 EDT 2003

Your question has a very subjective answer.  It all depends on what the NIDS
admin wants to track.  The rules that come with a base Snort install are
"canned".  That is, they will meet the needs of most of the NIDS admins.  

Having said this, however, I've heard it said and agree that *all* of the
Snort rules need to be reviewed and tweaked as necessary.  Your question is
a case in point.  



-----Original Message-----
From: Jerry.L.Rose at ...1475...
[mailto:Jerry.L.Rose at ...1475...]
Sent: Friday, April 25, 2003 10:35 AM
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] ftp rules question - why only external to internal?

I see there are several "bad" sections in the ftp rules ("bad files" section
shown below). My question is why limit these to External network to and from
internal network? Wouldn't it be better to change them to any network to any
network? For example, if an internal user (located on the HOME_NET)
attempted to download a "bad" file from any ftp server I'd like to know
about it. What am I missing here?

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP .forward"; content:
".forward"; flow:to_server,established; reference:arachnids,319;
classtype:suspicious-filename-detect; sid:334;  rev:4;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP .rhosts";
flow:to_server,established; content:".rhosts"; reference:arachnids,328;
classtype:suspicious-filename-detect; sid:335;  rev:4;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP authorized_keys";
flow:to_server,established; content:"authorized_keys";
classtype:suspicious-filename-detect; sid:1927; rev:2;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP passwd retreval
attempt"; flow:to_server,established; content:"RETR"; nocase;
content:"passwd"; reference:arachnids,213;
classtype:suspicious-filename-detect; sid:356;  rev:4;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP shadow retreval
attempt"; flow:to_server,established; content:"RETR"; nocase;
content:"shadow"; classtype:suspicious-filename-detect; sid:1928; rev:2;)

Jerry Rose 

Network Security Administrator 
U.S. Army Corps of Engineers 
Jacksonville District 

More information about the Snort-sigs mailing list