[Snort-sigs] FTP Snort rule

Joel Esler (jesler) jesler at ...3865...
Wed May 7 12:47:28 EDT 2014



Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Vulnerability Research Team

On May 7, 2014, at 12:31 PM, vijay saravanan <vjysaravan_88 at ...144...<mailto:vjysaravan_88 at ...144...>> wrote:

Hi All,

I am new to snort, Here is the rule written to detect connection request to FTP server and response from the FTP server.

alert tcp any any <> 21 (msg: "FTP access";sid:10000002;rev:1;)

The snort alerts all the connection attempt from external hosts to FTP Server but it is not producing the alert for response sent by FTP server.

For example :-

I could see the packet captured from to for "USER root"

But the response by the FTP server to is not captured.

We changed the rule to :-

alert tcp 21 -> any any (msg: "FTP access";sid:10000002;rev:1;). But still it doesn't work.

Please assist.Let me know if you need additional information.


Is your legacy SCM system holding you back? Join Perforce May 7 to find out:
• 3 signs your SCM is hindering your productivity
• Requirements for releasing software faster
• Expert tips and advice for migrating your SCM now
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net

Please visit http://blog.snort.org for the latest news about Snort!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20140507/b4841d7d/attachment.html>

More information about the Snort-sigs mailing list