Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: snort.org > snort-sigs > 03 > 040412.html (Request Expert snort.org Support)

RE: [Snort-sigs] ftp rules question - why only external to intern al?

From: L. Christopher Luther <CLuther(at)Xybernaut.com>
Date: Fri Apr 25 2003 - 11:43:14 EDT


Your question has a very subjective answer. It all depends on what the NIDS admin wants to track. The rules that come with a base Snort install are
"canned". That is, they will meet the needs of most of the NIDS admins.

Having said this, however, I've heard it said and agree that *all* of the Snort rules need to be reviewed and tweaked as necessary. Your question is a case in point.

Cheers!

Christopher

-----Original Message-----
From: Jerry.L.Rose@saj02.usace.army.mil
[mailto:Jerry.L.Rose@saj02.usace.army.mil] Sent: Friday, April 25, 2003 10:35 AM
To: snort-sigs@lists.sourceforge.net
Subject: [Snort-sigs] ftp rules question - why only external to internal?

I see there are several "bad" sections in the ftp rules ("bad files" section shown below). My question is why limit these to External network to and from internal network? Wouldn't it be better to change them to any network to any network? For example, if an internal user (located on the HOME_NET) attempted to download a "bad" file from any ftp server I'd like to know about it. What am I missing here?

# BAD FILES
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP .forward"; content:
".forward"; flow:to_server,established; reference:arachnids,319;
classtype:suspicious-filename-detect; sid:334; rev:4;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP .rhosts"; flow:to_server,established; content:".rhosts"; reference:arachnids,328; classtype:suspicious-filename-detect; sid:335; rev:4;)

Do you need help?X

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP authorized_keys"; flow:to_server,established; content:"authorized_keys"; classtype:suspicious-filename-detect; sid:1927; rev:2;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP passwd retreval attempt"; flow:to_server,established; content:"RETR"; nocase; content:"passwd"; reference:arachnids,213; classtype:suspicious-filename-detect; sid:356; rev:4;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP shadow retreval attempt"; flow:to_server,established; content:"RETR"; nocase; content:"shadow"; classtype:suspicious-filename-detect; sid:1928; rev:2;)

Jerry Rose

Network Security Administrator
U.S. Army Corps of Engineers
Jacksonville District


This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven.
http://thinkgeek.com/sf

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs Received on Fri Apr 25 12:22:58 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:27 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library