Added parse_src_ip to sid 5000217 in pure-ftpd.rules.

pure-ftpd.rules

@@ -26,7 +26,7 @@
#*************************************************************

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[PUREFTPD] New FTP connection"; content: "[INFO] New connection from"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: not-suspicious; program: pure-ftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000216; sid: 5000216; rev:3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[PUREFTPD] Authentication failed"; content: "[WARNING] Authentication failed for user"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: unsuccessful-user; program: pure-ftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000217; sid: 5000217; rev:3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[PUREFTPD] Authentication failed"; content: "[WARNING] Authentication failed for user"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: unsuccessful-user; program: pure-ftpd; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5000217; sid: 5000217; rev:4;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[PUREFTPD] FTP user logout or timeout"; pcre: "/[INFO] Logout|[INFO] Timeout/"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: not-suspicious; program: pure-ftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000219; sid: 5000219; rev:3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[PUREFTPD] FTP notice message"; content: "[NOTICE]"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: program-error; program: pure-ftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000220; sid: 5000220; rev:3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[PUREFTPD] Attempting to access invalid directory"; content: "[INFO] Can't change directory to"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: suspicious-filename-detect; program: pure-ftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000221; sid: 5000221; rev:3;)