[Snort-sigs] Regarding rule 491 INFO FTP Bad login

Martin Olsson elof at ...1288...
Mon Jul 14 05:53:37 EDT 2003

On Mon, 14 Jul 2003, J-H. Johansen wrote:
> When the 491 rule logs it logs the destination and source addresses.
> Since the rule actually kicks into effect when destination fails to login shouldn't the log output then switch destination with source and source with destination ?
> Does snort support this kind of switching ?

No, snort doesn't, and I don't think it should. The operator analyzing the
alert should see the alerts unmodified in order to keep it simple and

Instead I've made a request (in the snort-devel-mailinglist) for some kind
of tagging-system where each alert is tagged with information about where
the bad guy is located, src or dst. In your case it would be the
destination side since the source is the attacked FTP server.


More information about the Snort-sigs mailing list