[Snort-users] Simple FTP login request rule - just not so simple to me!

JPP jpp at ...1565...
Thu Apr 1 16:36:31 EST 2004


Matt Kettler wrote:

> At 03:41 PM 4/1/2004, JPP wrote:
> 
>> Anyone have a rule to capture and alert on FTP login requests ONLY?
>> The rules we currently have capture either all FTP's inbound and 
>> generate a lot of entries at times, and the standard rules in 
>> ftp.rules which to this point have generated none.
>>
>> A rule I have tried (in several variations) goes something like:
>> alert tcp any any -> $HOME_NET 21 (msg:"FTP Password/Login attempt" \
>>    flow:to_server,established; content:"Password"; nocase;)
>>
>> I fooled around with the wording,
>> added content:"USER"; nocase;
>> and/or
>> added content:"ogin"; nocase;
>> and still not a single hit when I log onto a server. I SEE Password: 
>> when I log in manually so obviously something in my logic or my 
>> general understanding of rules is lacking.
>> Any wise rule writers out there that can assist would be greatly 
>> appreciated!
> 
> 
> Your head is turned around looking backwards... :)
> 
> All those strings don't go to the server... they come _from_ the server 
> and go to the client.. so of course your rule isn't firing..
> 
> Re-write your rule's sense of direction using something like this instead:
> 
> alert tcp $HOME_NET 21  -> any any  (msg:"FTP Password/Login prompt 
> outbound" \
>    flow:from_server,established; content:"Password"; nocase;) 
> 

Thanks Matt

Final rule that works for both SSH and FTP (and presumably for POP and 
the like) is:

alert tcp $HOME_NET 20:21 -> any any  (msg:"FTP Password/Login prompt 

    outbound" flow:from_server; content:"Password"; nocase;)

(format to fit your screen!)

Thanks again. *adds that to library of never ending knowledge*

JPP







More information about the Snort-users mailing list