[Snort-users] Simple FTP login request rule - just not so simple to me!

JPP jpp at ...1565...
Thu Apr 1 12:42:03 EST 2004

Hey all!

Anyone have a rule to capture and alert on FTP login requests ONLY?
The rules we currently have capture either all FTP's inbound and 
generate a lot of entries at times, and the standard rules in ftp.rules 
which to this point have generated none.

A rule I have tried (in several variations) goes something like:
alert tcp any any -> $HOME_NET 21 (msg:"FTP Password/Login attempt" \
   flow:to_server,established; content:"Password"; nocase;)

I fooled around with the wording,
added content:"USER"; nocase;
added content:"ogin"; nocase;
and still not a single hit when I log onto a server. I SEE Password: 
when I log in manually so obviously something in my logic or my general 
understanding of rules is lacking.
Any wise rule writers out there that can assist would be greatly 


More information about the Snort-users mailing list