[Snort-users] Rules to block FT
Atkins, Dwane P
ATKINSD at ...9240...
Thu Jun 28 14:27:27 EDT 2007
They seem to both work.
Thank you and have a great day.
From: Valter Santos [mailto:vsantola at ...13607...]
Sent: Thursday, June 28, 2007 12:20 PM
To: Joel Ebrahimi
Cc: Atkins, Dwane P; Snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Rules to block FT
I think what Dwane is looking for is ftp brute force attempts against
his own ftp servers, so this should do it:
alert tcp $HOME_NET 21 -> $EXTERNAL_NET any
Responses from $HOME_NET 21 to external hosts... the full rule from
alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE SCAN
Potential FTP Brute-Force attempt"; flow:from_server,established;
content:"530 "; pcre:"/^530\s+(Login|User|Failed)/smi";
classtype:unsuccessful-user; threshold: type threshold, track by_dst,
count 5, seconds 120; sid:2002383; rev:4;)
On 6/28/07, Joel Ebrahimi <jebrahimi at ...13458...> wrote:
> Hi Dwane,
> There is a problem with this rule. The content detection portion of
> rule looks good, it looks for the 530 response from FTP for an
> The problem lies within the rule header though (alert tcp $HOME_NET
> $EXTERNAL_NET 21), this content that is being looked for is from the
> to the server, where it is really the server that sends the 530 error
> so by switching the direction your monitoring this pattern for you
> good to go (alert tcp $EXTERNAL_NET 21 -> $HOME_NET any).
> Joel Ebrahimi
> Senior Software Engineer
> The information transmitted is intended only for the person
> to whom it is addressed and may contain confidential material.
> Review or other use of this information by persons other than
> the intended recipient is prohibited. If you've received
> this in error, please contact the sender and delete
> from any computer.
> -----Original Message-----
> From: snort-users-bounces at lists.sourceforge.net on behalf
> of Atkins, Dwane P
> Sent: Wed 6/27/2007 9:18 AM
> To: Snort-users at lists.sourceforge.net
> Subject: [Snort-users] Rules to block FT
> I have a testbed set up and have already alerted and blocked via
> snortsam for SSH. I am now working on FTP.
> My rule:
> alert tcp $HOME_NET any -> $EXTERNAL_NET 21 ( msg:"BLOCKED
> FTP Brute-Force attempt";flow:from_server,established;
> content:"530 ";
> threshold: type threshold, track by_dst, count 10, seconds 60;
> sid:1000002; rev:1; fwsam: src, 5 minutes;)
> Does this look like it will work? I am not that adept about building
> rules and am learning. This was from bleeding edge, I think.
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users