[Snort-sigs] Sig to locate rogue ftp servers

Brian bmc at ...95...
Thu Feb 13 04:55:02 EST 2003


On Thu, Feb 13, 2003 at 09:26:52AM +0200, Jukka Juslin wrote:
> ->> alert tcp $HOME_NET !21 -> $EXTERNAL_NET any (msg:"FTP FTP on non-standard
> ->> FTP port"; flags:AP; content:"331 "; depth:4; classtype:policy-violation;)
> ->
> ->You are correct, using flow:from_server,established; would be what
> ->should be used.  Your message states FTP 3 times.  If I were to look at
> ->adding a rule like that I would probably go with "POLICY FTP on non-standard
> ->port" as a message.
> 
> I get alerts based on ftp-data 20/tcp also by this rule. And that is a
> standard port. Can I put !21!20 to the rule? Didn't find from rule guide,
> maybe looked too quickly.

nope,  but you can do !20:21

-brian




More information about the Snort-sigs mailing list