[Snort-users] can I write rules to detect certain ftp downloads?
Jason.Haar at ...294...
Wed Apr 23 19:20:32 EDT 2008
I have a requirement to be able to whitelist (ie. "pass" rule) certain
FTP transactions. This is easy to do with nice protocols like HTTP - but
the dual-channel nature of FTP makes this hard for me at least.
Can I write a rule that would allow me to say "doing a GET on a file
containing 'XXX' on port 21 means any future traffic you then see
between these two IP addresses is OK"? I guess I'm asking if a
combination of "pass" rules and enabling "data_chan" on the ftptelnet
preprocessor will do the trick?
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
More information about the Snort-users