[Snort-users] Capturing FTP/POP3/IMAP/SMTP banners

Mayers, Philip J p.mayers at ...1913...
Thu Apr 26 11:10:33 EDT 2001


We have a rather... loosely controlled network (a hangover from the past).
We're putting a Snort box in soon in an attempt to detect hacked machines as
well as hacking attempts, and I'd like to piggyback the detection of
unauthorised FTP servers (for example) on top of that.

The idea is that incoming TCP SYN connections to port 21 would trigger a
capture of the next 150 bytes of TCP payload going *out* from the server
that was connected to. We could then process the data and detect the
machines.

I realise I could get something like this with activate/dynamic rules, but
we're a heavy traffic site and it's entirely possible (probable, even) that
I could miss the banner if someone else is running an FTP download at the
same time.

Any thoughts?

Regards,
Phil

+----------------------------------+
| Phil Mayers, Network Support     |
| Centre for Computing Services    |
| Imperial College                 |
+----------------------------------+  




More information about the Snort-users mailing list