[Snort-users] can I write rules to detect certain ftp downloads?

Jason Haar Jason.Haar at ...294...
Wed Apr 23 19:20:32 EDT 2008

Hi there

I have a requirement to be able to whitelist (ie. "pass" rule) certain 
FTP transactions. This is easy to do with nice protocols like HTTP - but 
the  dual-channel nature of FTP makes this hard for me at least.

Can I write a rule that would allow me to say "doing a GET on a file 
containing 'XXX' on port 21 means any future traffic you then see 
between these two IP addresses is OK"? I guess I'm asking if a 
combination of "pass" rules and enabling "data_chan" on the ftptelnet 
preprocessor will do the trick?



Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

More information about the Snort-users mailing list