List Info

Thread: FTP on off port sig
FTP on off port sig
user name
 2006-07-26 16:34:06 
On Wed, 2006-07-26 at 12:19 -0400, Reg Quinton wrote:
> Then I don't think that matters. Port 20, the ftp-data
channel, is never the 
> server end of the flow. The FTP server connects to the
FTP client for the 
> data channel. If the suggestion is

Heh... yeah, got that backwards, didn't I? No problem,
let's leave it as
it is. But I still think it should replace the older sig.

> What I do is leave it as is. My post-snort processing
involves looking for 
> the alert and probing the host:port mentioned. If I get
a 220 banner then 
> yes indeed something is there. 

Still cumbersome since there can be a lot of
post-processing/analysis
involved 

I wonder if that can't be caught with some sort of FTP
state machine
tracking via flowbits....

-Frank

-- 
It is said that the Internet is a public utility. As such,
it is best
compared to a sewer. A big, fat pipe with a bunch of crap
sloshing
against your ports.

_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigsbleedingsnort.com
http://lists.bleedingsnort.com/mailman/listinfo/ble
eding-sigs
[1]

about | contact  Other archives ( Real Estate discussion Medical topics )