[Snort-sigs] FTP Snort rule
vjysaravan_88 at ...144...
Wed May 7 12:31:08 EDT 2014
I am new to snort, Here is the rule written to detect connection request to FTP server and response from the FTP server.
alert tcp any any <> 192.168.0.147 21 (msg: "FTP access";sid:10000002;rev:1;)
The snort alerts all the connection attempt from external hosts to FTP Server but it is not producing the alert for response sent by FTP server.
For example :-
I could see the packet captured from 192.168.0.125 to 192.168.0.147:21 for "USER root"
But the response by the FTP server 192.168.0.147:21 to 192.168.0.125 is not captured.
We changed the rule to :-
alert tcp 192.168.0.147 21 -> any any (msg: "FTP access";sid:10000002;rev:1;). But still it doesn't work.
Please assist.Let me know if you need additional information.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs