[Snort-users] Snort Rule and FTP server

quocviet nguyen nguyenquocviet.2010 at ...11827...
Sun Nov 3 04:23:49 EST 2013


hi all,

I have installed Snort Version 2.9.4.6 GRE (Build 73) on Centos 5.5 , and
then I write simple rule:

alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"ET SCAN Potential FTP
Brute-Force attempt"; flow:from_server,established;  content:"530 ";
 pcre:"/530\s+(Login|User|Failed|Not)/smi"; sid:1000003; rev:10;)

This rule detects user login not success into FTP server, but Snort cannot
detect string "530 Login incorrect" in playload respone server, althought I
use wireshark capture packet , I see Server have responed above string.

Could you given any recommend in this situasion?

thanks.


-- 
viet
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20131103/508f6062/attachment.html>


More information about the Snort-users mailing list