[Snort-users] Snort Rule and FTP server

Joel Esler jesler at ...1935...
Sun Nov 3 08:29:15 EST 2013


https://github.com/vrtadmin/snort-faq/blob/master/FAQ/Im-not-receiving-alerts-in-Snort.md

Try that. 

--
Joel Esler

> On Nov 3, 2013, at 4:23, quocviet nguyen <nguyenquocviet.2010 at ...11827...> wrote:
> 
> hi all,
> 
> I have installed Snort Version 2.9.4.6 GRE (Build 73) on Centos 5.5 , and then I write simple rule:
> 
> alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"ET SCAN Potential FTP Brute-Force attempt"; flow:from_server,established;  content:"530 ";  pcre:"/530\s+(Login|User|Failed|Not)/smi"; sid:1000003; rev:10;)
> 
> This rule detects user login not success into FTP server, but Snort cannot detect string "530 Login incorrect" in playload respone server, althought I use wireshark capture packet , I see Server have responed above string.
> 
> Could you given any recommend in this situasion?
> 
> thanks.
> 
> 
> -- 
> viet
> ------------------------------------------------------------------------------
> Android is increasing in popularity, but the open development platform that
> developers love is also attractive to malware creators. Download this white
> paper to learn more about secure code signing practices that can help keep
> Android apps secure.
> http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!




More information about the Snort-users mailing list