[Snort-users] Rules to block FT

Atkins, Dwane P ATKINSD at ...9240...
Wed Jun 27 11:18:54 EDT 2007

I have a testbed set up and have already alerted and blocked via
snortsam for SSH.  I am now working on FTP.


My rule:


alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (   msg:"BLOCKED Potential
FTP Brute-Force attempt";flow:from_server,established; content:"530 ";
threshold: type threshold, track by_dst, count 10, seconds 60;
sid:1000002; rev:1; fwsam: src, 5 minutes;)


Does this look like it will work? I am not that adept about building
rules and am learning.  This was from bleeding edge, I think.




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20070627/e62067b2/attachment.html>

More information about the Snort-users mailing list