[Snort-sigs] ftp rules question - why only external to internal?

From: <Jerry.L.Rose(at)saj02.usace.army.mil>
Date: Fri Apr 25 2003 - 10:35:29 EDT

I see there are several "bad" sections in the ftp rules ("bad files" section shown below). My question is why limit these to External network to and from internal network? Wouldn't it be better to change them to any network to any network? For example, if an internal user (located on the HOME_NET) attempted to download a "bad" file from any ftp server I'd like to know about it. What am I missing here?

# BAD FILES
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP .forward"; content: ".forward"; flow:to_server,established; reference:arachnids,319; classtype:suspicious-filename-detect; sid:334; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP .rhosts"; flow:to_server,established; content:".rhosts"; reference:arachnids,328; classtype:suspicious-filename-detect; sid:335; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP authorized_keys"; flow:to_server,established; content:"authorized_keys"; classtype:suspicious-filename-detect; sid:1927; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP passwd retreval attempt"; flow:to_server,established; content:"RETR"; nocase; content:"passwd"; reference:arachnids,213; classtype:suspicious-filename-detect; sid:356; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP shadow retreval attempt"; flow:to_server,established; content:"RETR"; nocase; content:"shadow"; classtype:suspicious-filename-detect; sid:1928; rev:2;)

Jerry Rose
Network Security Administrator
U.S. Army Corps of Engineers
Jacksonville District

---

This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven.
http://thinkgeek.com/sf

---

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs Received on Fri Apr 25 11:32:33 2003