[Snort-users] Capturing FTP/POP3/IMAP/SMTP banners

Brian Caswell bmc at ...312...
Thu Apr 26 11:46:18 EDT 2001

"Mayers, Philip J" wrote:
> We have a rather... loosely controlled network (a hangover from the past).
> We're putting a Snort box in soon in an attempt to detect hacked machines as
> well as hacking attempts, and I'd like to piggyback the detection of
> unauthorised FTP servers (for example) on top of that.
> The idea is that incoming TCP SYN connections to port 21 would trigger a
> capture of the next 150 bytes of TCP payload going *out* from the server
> that was connected to. We could then process the data and detect the
> machines.
> I realise I could get something like this with activate/dynamic rules, but
> we're a heavy traffic site and it's entirely possible (probable, even) that
> I could miss the banner if someone else is running an FTP download at the
> same time.

Yeap, thats already been added into snort.

alert any any -> $HOME_NET 21 (msg:"FLAGED FTP SESSIONS INCOMING";
flags:s; tag: session,150,bytes;)

Brian Caswell
The MITRE Corporation

More information about the Snort-users mailing list