[Snort-users] FTP rules, different port

Y M snort at ...15979...
Sun Apr 26 11:42:12 EDT 2015

From: miboe60 at ...125...
To: snort-users at lists.sourceforge.net
Date: Sun, 26 Apr 2015 15:00:29 +0200
Subject: [Snort-users] FTP rules, different port

I have enabled the 'protocol-ftp' rules in PulledPork, however several FTP attacks are not reported. I went to check for the rules, and they almost all have port '21' hardcoded as a port, instead of the more general '$FTP_PORTS' variable..
# In general, it depends on the ftp port your server is running and the one you are monitoring/protecting. Also, make sure that the traffic hitting the ftp server actually matches the rules. Finally, try running Snort with "-k none".  If you you run an ftp exploit against a non-standard ftp port, then the rules will have to be modified to accommodate the network conditions, in this case the port. Unless you use an Application Detector (OpenAppID), which abstracts the need for hardcoding ports and just worry about ftp traffic regardless of port. But this is another beast to tackle :)
My FTP server is running on another port, and is thus not protected by most of the 21 rules.. Do I have to copy paste them in my custom ruleset, or is there something that I'm missing?
# You can use the modifysid.conf from PulledPork. The syntax for doing so is rather simple. Take a look inside the the modifysid.conf, it is documented with examples.


One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

Please visit http://blog.snort.org to stay current on all the latest Snort news! 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150426/a248d7b0/attachment.html>

More information about the Snort-users mailing list