[Snort-users] Rules to block FT

Atkins, Dwane P ATKINSD at ...9240...
Wed Jun 27 11:18:54 EDT 2007


I have a testbed set up and have already alerted and blocked via
snortsam for SSH.  I am now working on FTP.

 

My rule:

 

alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (   msg:"BLOCKED Potential
FTP Brute-Force attempt";flow:from_server,established; content:"530 ";
pcre:"/^530\s+(Login|User|Failed)/smi";classtype:unsuccessful-user;
threshold: type threshold, track by_dst, count 10, seconds 60;
sid:1000002; rev:1; fwsam: src, 5 minutes;)

 

Does this look like it will work? I am not that adept about building
rules and am learning.  This was from bleeding edge, I think.

 

Dwane

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20070627/e62067b2/attachment.html>


More information about the Snort-users mailing list