Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: FTP rules, different port

From: Y M <snort () outlook com>
Date: Sun, 26 Apr 2015 15:42:12 +0000

From: miboe60 () hotmail com
To: snort-users () lists sourceforge net
Date: Sun, 26 Apr 2015 15:00:29 +0200
Subject: [Snort-users] FTP rules, different port




Hello,
I have enabled the 'protocol-ftp' rules in PulledPork, however several FTP attacks are not reported. I went to check 
for the rules, and they almost all have port '21' hardcoded as a port, instead of the more general '$FTP_PORTS' 
variable..
# In general, it depends on the ftp port your server is running and the one you are monitoring/protecting. Also, make 
sure that the traffic hitting the ftp server actually matches the rules. Finally, try running Snort with "-k none".  If 
you you run an ftp exploit against a non-standard ftp port, then the rules will have to be modified to accommodate the 
network conditions, in this case the port. Unless you use an Application Detector (OpenAppID), which abstracts the need 
for hardcoding ports and just worry about ftp traffic regardless of port. But this is another beast to tackle :)
My FTP server is running on another port, and is thus not protected by most of the 21 rules.. Do I have to copy paste 
them in my custom ruleset, or is there something that I'm missing?
# You can use the modifysid.conf from PulledPork. The syntax for doing so is rather simple. Take a look inside the the 
modifysid.conf, it is documented with examples.

 
                                          

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!                                        
  
------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: