[Oisf-users] Suricata ftp protocol decode.
Nikolay Denev
ndenev at gmail.com
Thu Apr 26 14:36:28 UTC 2012
I'm trying to setup a rule to catch ftp users on all ports not only standard FTP, and I'm doing this :
alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"FTP User"; flow:established,to_server; content:"USER"; nocase; classtype:policy-violation; sid:9000015; rev:1;)
But this rule does not trigger alerts, while this one works (for standard ftp port) :
alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"FTP User"; flow:established,to_server; content:"USER"; nocase; classtype:policy-violation; sid:9000015; rev:1;)
Am I missing something here?
Regards,
Nikolay
More information about the Oisf-users
mailing list