[Oisf-users] Suricata ftp protocol decode.

Nikolay Denev ndenev at gmail.com
Thu Apr 26 15:10:50 UTC 2012


On Apr 26, 2012, at 6:02 PM, Seth Hall wrote:

> 
> On Apr 26, 2012, at 10:36 AM, Nikolay Denev wrote:
> 
>> alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"FTP User"; flow:established,to_server; content:"USER"; nocase; classtype:policy-violation; sid:9000015; rev:1;)
> 
> 
> I'm taking a wild stab with this one, but have you tried making this "alert tcp"?
> 
>  .Seth
> 
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro-ids.org/
> 

That should work, but would generate alert for every occurrence of the the string "USER" sent to the server via TCP.(probably would catch all browsers sending their User-Agent headers)
I was hoping that the protocol decoder could help me filter out only "real" FTP sessions.




More information about the Oisf-users mailing list