Snort mailing list archives
Re: FTP rules, different port
From: Y M <snort () outlook com>
Date: Sun, 26 Apr 2015 15:42:12 +0000
From: miboe60 () hotmail com To: snort-users () lists sourceforge net Date: Sun, 26 Apr 2015 15:00:29 +0200 Subject: [Snort-users] FTP rules, different port Hello, I have enabled the 'protocol-ftp' rules in PulledPork, however several FTP attacks are not reported. I went to check for the rules, and they almost all have port '21' hardcoded as a port, instead of the more general '$FTP_PORTS' variable.. # In general, it depends on the ftp port your server is running and the one you are monitoring/protecting. Also, make sure that the traffic hitting the ftp server actually matches the rules. Finally, try running Snort with "-k none". If you you run an ftp exploit against a non-standard ftp port, then the rules will have to be modified to accommodate the network conditions, in this case the port. Unless you use an Application Detector (OpenAppID), which abstracts the need for hardcoding ports and just worry about ftp traffic regardless of port. But this is another beast to tackle :) My FTP server is running on another port, and is thus not protected by most of the 21 rules.. Do I have to copy paste them in my custom ruleset, or is there something that I'm missing? # You can use the modifysid.conf from PulledPork. The syntax for doing so is rather simple. Take a look inside the the modifysid.conf, it is documented with examples. ------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- FTP rules, different port Michael B (Apr 26)
- Re: FTP rules, different port Y M (Apr 26)