[Oisf-users] Suricata ftp protocol decode.
Nikolay Denev
ndenev at gmail.com
Thu Apr 26 17:03:11 UTC 2012
On Apr 26, 2012, at 6:10 PM, Nikolay Denev wrote:
> On Apr 26, 2012, at 6:02 PM, Seth Hall wrote:
>
>>
>> On Apr 26, 2012, at 10:36 AM, Nikolay Denev wrote:
>>
>>> alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"FTP User"; flow:established,to_server; content:"USER"; nocase; classtype:policy-violation; sid:9000015; rev:1;)
>>
>>
>> I'm taking a wild stab with this one, but have you tried making this "alert tcp"?
>>
>> .Seth
>>
>> --
>> Seth Hall
>> International Computer Science Institute
>> (Bro) because everyone has a network
>> http://www.bro-ids.org/
>>
>
> That should work, but would generate alert for every occurrence of the the string "USER" sent to the server via TCP.(probably would catch all browsers sending their User-Agent headers)
> I was hoping that the protocol decoder could help me filter out only "real" FTP sessions.
>
Actually it's not fully not working, as "alert ftp" was triggered by a POP3 login on port 110. I have to check exactly what the "ftp" decoder does in the docs/sources. :)
More information about the Oisf-users
mailing list