Snort mailing list archives
Snort Rule and FTP server
From: quocviet nguyen <nguyenquocviet.2010 () gmail com>
Date: Sun, 3 Nov 2013 16:23:49 +0700
hi all, I have installed Snort Version 2.9.4.6 GRE (Build 73) on Centos 5.5 , and then I write simple rule: alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"ET SCAN Potential FTP Brute-Force attempt"; flow:from_server,established; content:"530 "; pcre:"/530\s+(Login|User|Failed|Not)/smi"; sid:1000003; rev:10;) This rule detects user login not success into FTP server, but Snort cannot detect string "530 Login incorrect" in playload respone server, althought I use wireshark capture packet , I see Server have responed above string. Could you given any recommend in this situasion? thanks. -- viet
------------------------------------------------------------------------------ Android is increasing in popularity, but the open development platform that developers love is also attractive to malware creators. Download this white paper to learn more about secure code signing practices that can help keep Android apps secure. http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort Rule and FTP server quocviet nguyen (Nov 03)
- Re: Snort Rule and FTP server Joel Esler (Nov 03)