[Oisf-users] Suricata ftp protocol decode.
Nikolay Denev
ndenev at gmail.com
Thu Apr 26 15:10:50 UTC 2012
On Apr 26, 2012, at 6:02 PM, Seth Hall wrote:
>
> On Apr 26, 2012, at 10:36 AM, Nikolay Denev wrote:
>
>> alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"FTP User"; flow:established,to_server; content:"USER"; nocase; classtype:policy-violation; sid:9000015; rev:1;)
>
>
> I'm taking a wild stab with this one, but have you tried making this "alert tcp"?
>
> .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro-ids.org/
>
That should work, but would generate alert for every occurrence of the the string "USER" sent to the server via TCP.(probably would catch all browsers sending their User-Agent headers)
I was hoping that the protocol decoder could help me filter out only "real" FTP sessions.
More information about the Oisf-users
mailing list