[Snort-users] Outgoing FTP Rule?

Brad Merluzzi brad at ...6102...
Mon Jun 17 06:56:03 EDT 2002


Hi,

I'd like to develop an FTP rule for outgoing connections to track 
1. Outbound FTP connections
2. Capturing Username to outgoing FTP
3. Capturing Password to outgoing FTP
4. Files that are being recieved via the outgoing FTP connection

My premise behind this is this:
If someone breaks into one of my servers, they will usually go out to get
their 'Root Kit' to comprimise my server. Capturing the User Name/Password
and filename will allow me to see what they might have up their sleeve, and
to also know what they are trying to do on my server.

The problem is this, I can't just monitor port 21, since FTP can be set up
on any port, and just scanning for either Username or Password brings up a
lot of false positives from web pages since we are a hosting company.

Is there a part of the FTP packet that I can use in a rule to further
deliniate an FTP transmission?

Also,  Has anyone else tried to do domething like this, or am i just wasting
my time?

Thanks,

--Brad


  "That's it! You people have stood in my way long enough. I'm going to
clown college!"   -- Homer Simpson







More information about the Snort-users mailing list