[Snort-users] ftp scans

jan at ...1739... jan at ...1739...
Wed Apr 4 07:13:07 EDT 2001


> This looks to me like someone is scanning for ftps on
> our network, I would like to have the scans that hits
> port 21 be reported to alert file, but i can seem to
> write the correct rule for it, anyone that can help me ?

I don't know. If you wrote a simple rule for that, you might get an
alert every time someone opens a ftp connection to one of your hosts.
Apart from the frequency, the above packets look like a normal SYN
packet sent to open a ftp control connection. If you don't run any ftp
servers, you might be fine, but if you do, you'll probably get loads of
false positives. 

Bye, Jan

Radio HUNDERT,6 Medien GmbH Berlin
- EDV -
j.muenther at ...206...

More information about the Snort-users mailing list