[Snort-sigs] ftp rules question - why only external to internal?

Terence Runge terencerunge at ...1224...
Fri Apr 25 10:11:06 EDT 2003

This depends entirely on what you deem important to monitor for. What do 
you define an $EXTERNAL_NET? In some instances, I have defined specific 
vlans as the $EXTERNAL_NET or $HOME_NET, especially when running snort 
for site to site internal monitoring sniffing the uplink. Create virtual 
interfaces and try running multiple instances of snort with well defined 
snort.conf and *.rules.


Jerry.L.Rose at ...1475... wrote:

> I see there are several "bad" sections in the ftp rules ("bad files" 
> section shown below). My question is why limit these to External 
> network to and from internal network? Wouldn't it be better to change 
> them to any network to any network? For example, if an internal user 
> (located on the HOME_NET) attempted to download a "bad" file from any 
> ftp server I'd like to know about it. What am I missing here?
> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP .forward"; 
> content: ".forward"; flow:to_server,established; 
> reference:arachnids,319; classtype:suspicious-filename-detect; 
> sid:334;  rev:4;)
> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP .rhosts"; 
> flow:to_server,established; content:".rhosts"; 
> reference:arachnids,328; classtype:suspicious-filename-detect; 
> sid:335;  rev:4;)
> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP 
> authorized_keys"; flow:to_server,established; 
> content:"authorized_keys"; classtype:suspicious-filename-detect; 
> sid:1927; rev:2;)
> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP passwd retreval 
> attempt"; flow:to_server,established; content:"RETR"; nocase; 
> content:"passwd"; reference:arachnids,213; 
> classtype:suspicious-filename-detect; sid:356;  rev:4;)
> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP shadow retreval 
> attempt"; flow:to_server,established; content:"RETR"; nocase; 
> content:"shadow"; classtype:suspicious-filename-detect; sid:1928; rev:2;)
> Jerry Rose
> Network Security Administrator
> U.S. Army Corps of Engineers
> Jacksonville District

More information about the Snort-sigs mailing list