[Snort-users] ftp scans

jan at ...1739... jan at ...1739...
Wed Apr 4 07:13:07 EDT 2001


Hi,

> This looks to me like someone is scanning for ftps on
> our network, I would like to have the scans that hits
> port 21 be reported to alert file, but i can seem to
> write the correct rule for it, anyone that can help me ?

I don't know. If you wrote a simple rule for that, you might get an
alert every time someone opens a ftp connection to one of your hosts.
Apart from the frequency, the above packets look like a normal SYN
packet sent to open a ftp control connection. If you don't run any ftp
servers, you might be fine, but if you do, you'll probably get loads of
false positives. 

Bye, Jan

-- 
Radio HUNDERT,6 Medien GmbH Berlin
- EDV -
j.muenther at ...206...




More information about the Snort-users mailing list