[Snort-users] RE: Simple FTP Login Request rule.........................
jpp at ...1565...
Thu Apr 1 21:13:01 EST 2004
>Matt Kettler wrote:
>>At 03:41 PM 4/1/2004, JPP wrote:>
>>Anyone have a rule to capture and alert on FTP login requests ONLY?>
>The rules we currently have capture either all FTP's inbound and
>>generate a lot of entries at times, and the standard rules in
>ftp.rules >which to this point have generated none.
>>A rule I have tried (in several variations) goes something like:
>>alert tcp any any -> $HOME_NET 21 (msg:"FTP Password/Login attempt" \
>> flow:to_server,established; content:"Password"; nocase;)
>>I fooled around with the wording,
>>added content:"USER"; nocase;
>>added content:"ogin"; nocase;
>>and still not a single hit when I log onto a server. I SEE Password:
>>when I log in manually so obviously something in my logic or my
>>general >understanding of rules is lacking.
>>>Any wise rule writers out there that can assist would be greatly
>Your head is turned around looking backwards... [:)]
>All those strings don't go to the server... they come _from_ the
server >and go to the client.. so of course your rule isn't firing..
>Re-write your rule's sense of direction using something like this
>alert tcp $HOME_NET 21 -> any any (msg:"FTP Password/Login prompt
> flow:from_server,established; content:"Password"; nocase;)
Final rule that works for both SSH and FTP (and presumably for POP and
the like) is:
alert tcp $HOME_NET 20:21 -> any any (msg:"FTP Password/Login prompt
outbound" flow:from_server; content:"Password"; nocase;)
(format to fit your screen!)
Thanks again. *adds that to library of never ending knowledge*
More information about the Snort-users