[Snort-sigs] FTP Snort rule

waldo kitty wkitty42 at ...3507...
Wed May 7 12:56:26 EDT 2014


On 5/7/2014 12:31 PM, vijay saravanan wrote:
> Hi All,
>
> I am new to snort, Here is the rule written to detect connection request to FTP
> server and response from the FTP server.
>
> alert tcp any any <> 192.168.0.147 21 (msg: "FTP access";sid:10000002;rev:1;)
>
> The snort alerts all the connection attempt from external hosts to FTP Server
> but it is not producing the alert for response sent by FTP server.
>
> For example :-
>
> I could see the packet captured from 192.168.0.125 to 192.168.0.147:21 for "USER
> root"
>
> But the response by the FTP server 192.168.0.147:21 to 192.168.0.125 is not
> captured.

are you sure the response goes back out on port 21?

ideally, you should also use content matches to speed the pattern matching... 
one rule for each inbound detection desired and another rule for each outbound 
detection desired... it is not a good idea to try to shortcut things by using a 
one-rule-covers-all type of methodology...

going back to your original rule, if you only want to detect connection 
attempts, you might want to start by detecting the initial syn packet of the 
three-way handshake used in tcp connections... that happens before any type of 
login sequence can be started ;)

-- 
  NOTE: No off-list assistance is given without prior approval.
        Please *keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.




More information about the Snort-sigs mailing list