[Oisf-users] Suricata ftp protocol decode.

Nikolay Denev ndenev at gmail.com
Thu Apr 26 14:36:28 UTC 2012


I'm trying to setup a rule to catch ftp users on all ports not only standard FTP, and I'm doing this :

alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"FTP User"; flow:established,to_server; content:"USER"; nocase; classtype:policy-violation; sid:9000015; rev:1;)

But this rule does not trigger alerts, while this one works (for standard ftp port) :

alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"FTP User"; flow:established,to_server; content:"USER"; nocase; classtype:policy-violation; sid:9000015; rev:1;)

Am I missing something here?

Regards,
Nikolay


More information about the Oisf-users mailing list