[Snort-sigs] ftp rules

Al Lewis (allewi) allewi at ...3865...
Thu Oct 22 11:41:07 EDT 2015

For ftp (or any rule) syntax please visit the website here: http://manual.snort.org/node27.html

Here are some (ftp rules) taken from the community rules available on the snort.org website. https://snort.org/downloads

[alewis at ...4076... community-rules]$ cat community.rules | grep ftp | more

# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP ADMw0rm ftp login attempt"; flow:to_server,established; content:"USER"; nocase; content:"w0rm"; distance:1; nocase; pcre:"/^USER\s+w0
rm/smi"; metadata:ruleset community, service ftp; classtype:suspicious-login; sid:144; rev:16;)
# alert tcp $EXTERNAL_NET 21 -> $HOME_NET any (msg:"SERVER-OTHER NextFTP client overflow"; flow:to_client,established; content:"|B4| |B4|!|8B CC 83 E9 04 8B 19|3|C9|f|B9 10|"; metadata:ruleset commu
nity, service ftp; reference:bugtraq,572; reference:cve,1999-0671; classtype:attempted-user; sid:308; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP .forward"; flow:to_server,established; content:".forward"; metadata:ruleset community, service ftp; classtype:suspicious-filename-det
ect; sid:334; rev:12;)

Hope this helps.

Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi at ...3865...

From: Adam Ring [mailto:adam.ring at ...4074...]
Sent: Thursday, October 22, 2015 8:56 AM
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] ftp rules

Hi I am new to snort and was trying to create an ftp rule.  I have downloaded the rules from the website, but in the ftp file there aren't any rules in there.  I was wondering if that was supposed to be empty and if it is, is there a place where I can go to find some examples of ftp rules?

Adam Ring
IT Help Desk Techniction
Office 703.677.9540

AOC Solutions<http://www.aocsolutions.com/> | Solutions That Pay(r)

Blog<http://www.aocsolutions.com/blog> | Video<http://www.aocsolutions.com/ap-payment-automation-video> | LinkedIn<https://www.linkedin.com/company/139025?trk=tyah&trkInfo=clickedVertical%3Acompany%2Cidx%3A1-1-1%2CtarId%3A1436380782168%2Ctas%3Aaoc%20solutions>

[cid:image001.png at ...4077...]<http://www.aocsolutions.com/about-aoc/aoc-in-the-news/aoc-named-top-workplace-by-washington-post>

This e-mail and any attachments may contain confidential and privileged

information. If you are not the intended recipient, please notify the sender

immediately by return e-mail, delete this e-mail and attachments (if applicable)

and destroy any copies. Any dissemination or use of this information by a person

other than the intended recipient is unauthorized and strictly prohibited. You

may be subject to confidentiality restrictions in an existing contract with AOC

Solutions, Inc. As a result, you must protect the contents of this communication

according to such terms and conditions.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20151022/49ddd33d/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 6274 bytes
Desc: image001.png
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20151022/49ddd33d/attachment.png>

More information about the Snort-sigs mailing list