Snort mailing list archives
Re: FTP Snort rule
From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Wed, 7 May 2014 16:47:28 +0000
Try: https://github.com/vrtadmin/snort-faq/blob/master/FAQ/Im-not-receiving-alerts-in-Snort.md -- Joel Esler Open Source Manager Threat Intelligence Team Lead Vulnerability Research Team On May 7, 2014, at 12:31 PM, vijay saravanan <vjysaravan_88 () yahoo com<mailto:vjysaravan_88 () yahoo com>> wrote: Hi All, I am new to snort, Here is the rule written to detect connection request to FTP server and response from the FTP server. alert tcp any any <> 192.168.0.147 21 (msg: "FTP access";sid:10000002;rev:1;) The snort alerts all the connection attempt from external hosts to FTP Server but it is not producing the alert for response sent by FTP server. For example :- I could see the packet captured from 192.168.0.125 to 192.168.0.147:21 for "USER root" But the response by the FTP server 192.168.0.147:21 to 192.168.0.125 is not captured. We changed the rule to :- alert tcp 192.168.0.147 21 -> any any (msg: "FTP access";sid:10000002;rev:1;). But still it doesn't work. Please assist.Let me know if you need additional information. Thanks, Vijay ------------------------------------------------------------------------------ Is your legacy SCM system holding you back? Join Perforce May 7 to find out: • 3 signs your SCM is hindering your productivity • Requirements for releasing software faster • Expert tips and advice for migrating your SCM now http://p.sf.net/sfu/perforce_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Is your legacy SCM system holding you back? Join Perforce May 7 to find out: • 3 signs your SCM is hindering your productivity • Requirements for releasing software faster • Expert tips and advice for migrating your SCM now http://p.sf.net/sfu/perforce
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- FTP Snort rule vijay saravanan (May 07)
- Re: FTP Snort rule Joel Esler (jesler) (May 07)
- Re: FTP Snort rule vijay saravanan (May 07)
- Re: FTP Snort rule waldo kitty (May 07)
- Re: FTP Snort rule Joel Esler (jesler) (May 07)