[Snort-sigs] FTP Snort rule

vijay saravanan vjysaravan_88 at ...144...
Wed May 7 13:09:01 EDT 2014


Thanks Joel. -k none option did the magic.

Thanks,
Vijay
On Wednesday, 7 May 2014 10:17 PM, Joel Esler (jesler) <jesler at ...3865...> wrote:
 
Try: 

https://github.com/vrtadmin/snort-faq/blob/master/FAQ/Im-not-receiving-alerts-in-Snort.md


--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Vulnerability Research Team

 
On May 7, 2014, at 12:31 PM, vijay saravanan <vjysaravan_88 at ...144...> wrote:

Hi All,
>
>
>I am new to snort, Here is the rule written to detect connection request to FTP server and response from the FTP server.
>
>
>alert tcp any any <> 192.168.0.147 21 (msg: "FTP access";sid:10000002;rev:1;)
>
>
>
>The snort alerts all the connection attempt from external hosts to FTP Server but it is not producing the alert for response sent by FTP server.
>
>
>For example :-
>
>
>I could see the packet captured from 192.168.0.125 to 192.168.0.147:21 for "USER root"
>
>
>But the response by the FTP server 192.168.0.147:21 to 192.168.0.125 is not captured.
>
>
>We changed the rule to :-
>
>
>alert tcp 192.168.0.147 21 -> any any (msg: "FTP access";sid:10000002;rev:1;). But still it doesn't work.
>
>
>Please assist.Let me know if you need additional information.
>
>
>Thanks,
>Vijay
>
>
>
>
>
>
------------------------------------------------------------------------------
>Is your legacy SCM system holding you back? Join Perforce May 7 to find out:
>• 3 signs your SCM is hindering your productivity
>• Requirements for releasing software faster
>• Expert tips and advice for migrating your SCM now
>http://p.sf.net/sfu/perforce_______________________________________________
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/snort-sigs
>http://www.snort.org
>
>
>Please visit http://blog.snort.org for the latest news about Snort!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20140508/22292f29/attachment.html>


More information about the Snort-sigs mailing list