[Snort-users] Simple FTP login request rule - just not so simple to me!
jpp at ...1565...
Thu Apr 1 12:42:03 EST 2004
Anyone have a rule to capture and alert on FTP login requests ONLY?
The rules we currently have capture either all FTP's inbound and
generate a lot of entries at times, and the standard rules in ftp.rules
which to this point have generated none.
A rule I have tried (in several variations) goes something like:
alert tcp any any -> $HOME_NET 21 (msg:"FTP Password/Login attempt" \
flow:to_server,established; content:"Password"; nocase;)
I fooled around with the wording,
added content:"USER"; nocase;
added content:"ogin"; nocase;
and still not a single hit when I log onto a server. I SEE Password:
when I log in manually so obviously something in my logic or my general
understanding of rules is lacking.
Any wise rule writers out there that can assist would be greatly
More information about the Snort-users