[Snort-users] Rules to block FT

Frank Knobbe frank at ...9761...
Tue Jul 24 20:12:45 EDT 2007


On Thu, 2007-06-28 at 13:27 -0500, Atkins, Dwane P wrote:
> They seem to both work.

Not so quick :)

> I think what Dwane is looking for is ftp brute force attempts against
> his own ftp servers, so this should do it:
> 
> alert tcp $HOME_NET 21 -> $EXTERNAL_NET any

Make sure you are blocking DST in this rule, not SRC, if you want to
block EXTERNAL_NET.

In your old rule:
> >  alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (   msg:"BLOCKED
> Potential
> >  FTP Brute-Force attempt";flow:from_server,established;
> > content:"530 ";
> > pcre:"/^530\s+(Login|User|Failed)/smi";classtype:unsuccessful-user;
> >  threshold: type threshold, track by_dst, count 10, seconds 60;
> >  sid:1000002; rev:1; fwsam: src, 5 minutes;)

You had SRC listed, which is correct for HOME_NET (since it is a client
in this rule, and I assume you wanted to block your rogue client PC on
the inside ;)  


Remember that SRC blocks the host LEFT of -> and DST blocks the host to
the RIGHT of ->


Cheers,
Frank


-- 
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20070724/a3f1d4df/attachment.sig>


More information about the Snort-users mailing list