[Oisf-users] Suricata ftp protocol decode.

Nikolay Denev ndenev at gmail.com
Thu Apr 26 17:03:11 UTC 2012


On Apr 26, 2012, at 6:10 PM, Nikolay Denev wrote:

> On Apr 26, 2012, at 6:02 PM, Seth Hall wrote:
> 
>> 
>> On Apr 26, 2012, at 10:36 AM, Nikolay Denev wrote:
>> 
>>> alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"FTP User"; flow:established,to_server; content:"USER"; nocase; classtype:policy-violation; sid:9000015; rev:1;)
>> 
>> 
>> I'm taking a wild stab with this one, but have you tried making this "alert tcp"?
>> 
>> .Seth
>> 
>> --
>> Seth Hall
>> International Computer Science Institute
>> (Bro) because everyone has a network
>> http://www.bro-ids.org/
>> 
> 
> That should work, but would generate alert for every occurrence of the the string "USER" sent to the server via TCP.(probably would catch all browsers sending their User-Agent headers)
> I was hoping that the protocol decoder could help me filter out only "real" FTP sessions.
> 

Actually it's not fully not working, as "alert ftp" was triggered by a POP3 login on port 110. I have to check exactly what the "ftp" decoder does in the docs/sources. :)




More information about the Oisf-users mailing list