Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: the meaning with arrows in alerts?

From: Martin Roesch <roesch () sourcefire com>
Date: Mon, 06 Aug 2001 10:23:31 -0400
Here's the rule:

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 \
        (msg:"FTP passwd retreval attempt"; \
        content:"RETR"; nocase; \
        content:"passwd"; \
        flags: A+; \
        reference:arachnids,213; \
        classtype:bad-unknown; \
        sid:356; rev:2;)

Looks like it's doing its job to me...

   -Marty


Pontus Joakimsson wrote:


found this in my log:

[**] [1:356:2] FTP passwd retreval attempt [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
08/06-14:10:46.916395 x.x.x.11:25733 -> x.x.x.8:21
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:149
***AP*** Seq: 0xDA6FB967  Ack: 0x63800E38  Win: 0x2798  TcpLen: 20
[Xref => http://www.whitehats.com/info/IDS213]

Now, normally, you would say the attempt was from .11 address, the IP shown
before the '->' TO the IP after the '->'.

But I have a feeling, if you look at the port numbers, that its the way around, or?

Regards,
 Pontus Joakimsson

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


--
Martin Roesch
roesch () sourcefire com
http://www.sourcefire.com - http://www.snort.org

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: