[Snort-users] RE : Snort Rule and FTP server

rmkml rmkml at ...1855...
Sun Nov 3 05:56:45 EST 2013

Hi Quocviet,

Could you check without checksum please? (-k none)


-------- Message d'origine --------
De : quocviet nguyen <nguyenquocviet.2010 at ...11827...> 
Date :  
A : snort-users at lists.sourceforge.net 
Objet : [Snort-users] Snort Rule and FTP server 
hi all,

I have installed Snort Version GRE (Build 73) on Centos 5.5 , and then I write simple rule:

alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"ET SCAN Potential FTP Brute-Force attempt"; flow:from_server,established;  content:"530 ";  pcre:"/530\s+(Login|User|Failed|Not)/smi"; sid:1000003; rev:10;)

This rule detects user login not success into FTP server, but Snort cannot detect string "530 Login incorrect" in playload respone server, althought I use wireshark capture packet , I see Server have responed above string.

Could you given any recommend in this situasion?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20131103/a26a39a8/attachment.html>

More information about the Snort-users mailing list