[Oisf-users] Suricata ftp protocol decode.

Anoop Saldanha anoopsaldanha at gmail.com
Thu Apr 26 17:06:51 UTC 2012


On Thu, Apr 26, 2012 at 10:33 PM, Nikolay Denev <ndenev at gmail.com> wrote:
>
> On Apr 26, 2012, at 6:10 PM, Nikolay Denev wrote:
>
>> On Apr 26, 2012, at 6:02 PM, Seth Hall wrote:
>>
>>>
>>> On Apr 26, 2012, at 10:36 AM, Nikolay Denev wrote:
>>>
>>>> alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"FTP User"; flow:established,to_server; content:"USER"; nocase; classtype:policy-violation; sid:9000015; rev:1;)
>>>
>>>
>>> I'm taking a wild stab with this one, but have you tried making this "alert tcp"?
>>>
>>> .Seth
>>>
>>> --
>>> Seth Hall
>>> International Computer Science Institute
>>> (Bro) because everyone has a network
>>> http://www.bro-ids.org/
>>>
>>
>> That should work, but would generate alert for every occurrence of the the string "USER" sent to the server via TCP.(probably would catch all browsers sending their User-Agent headers)
>> I was hoping that the protocol decoder could help me filter out only "real" FTP sessions.
>>
>
> Actually it's not fully not working, as "alert ftp" was triggered by a POP3 login on port 110. I have to check exactly what the "ftp" decoder does in the docs/sources. :)
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users

The ftp decoder has no role to play for your rule.  From a dummy run
looks fine to me.

Can you share a pcap?

-- 
Anoop Saldanha



More information about the Oisf-users mailing list