|
|
FTP Login sig: msg#00128security.ids.snort.bleedingsnort
Interesting idea from Steven Adair. This will tell you the usernames being used to FTP in. Useful for places with infrequent ftp logins to let you know who's doing what when. I'd not use this on a high volume ftp site, unless you need the info. #by Steven Adair at securityzone.org #Rule to catch all FTP logins that do not start with "anonymous" or "ftp" # and do not contain "pass " (pass followed by a pass). -steven@securityzone alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"BLEEDING-EDGE POLICY FTP Login Attempt (non-anonymous)"; flow:to_server,establishe d; content:"USER"; content:!"PASS "; nocase; pcre:!"/^USER\s+(anonymous|ftp)/smi"; classtype:misc-activity; sid:2003930; rev:1;) -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 765-807-3060 fax http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc |
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| Previous by Date: | Bleeding Edge Threats Daily Signature Changes: 00128, bleeding-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt |
|---|---|
| Next by Date: | Re: Warning -- floods of Allaple worm alerts.... sid:200329(2-5): 00128, Russell Fulton |
| Previous by Thread: | Warning -- floods of Allaple worm alerts.... sid:200329(2-5)i: 00128, Russell Fulton |
| Next by Thread: | Question on snorting a pcap file: 00128, Jack Pepper |
| Indexes: | [Date] [Thread] [Top] [All Lists] |
| News | FAQ | advertise |