Permalink
Browse files

Added parse_src_ip to sid 5000217 in pure-ftpd.rules.

  • Loading branch information...
Champ Clark III
Champ Clark III committed Nov 5, 2018
1 parent 3f3d5ee commit 8c8bab01cc4a237d9af44b90067f59e439721f7f
Showing with 1 addition and 1 deletion.
  1. +1 −1 pure-ftpd.rules
@@ -26,7 +26,7 @@
#*************************************************************
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[PUREFTPD] New FTP connection"; content: "[INFO] New connection from"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: not-suspicious; program: pure-ftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000216; sid: 5000216; rev:3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[PUREFTPD] Authentication failed"; content: "[WARNING] Authentication failed for user"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: unsuccessful-user; program: pure-ftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000217; sid: 5000217; rev:3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[PUREFTPD] Authentication failed"; content: "[WARNING] Authentication failed for user"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: unsuccessful-user; program: pure-ftpd; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5000217; sid: 5000217; rev:4;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[PUREFTPD] FTP user logout or timeout"; pcre: "/[INFO] Logout|[INFO] Timeout/"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: not-suspicious; program: pure-ftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000219; sid: 5000219; rev:3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[PUREFTPD] FTP notice message"; content: "[NOTICE]"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: program-error; program: pure-ftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000220; sid: 5000220; rev:3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[PUREFTPD] Attempting to access invalid directory"; content: "[INFO] Can't change directory to"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: suspicious-filename-detect; program: pure-ftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000221; sid: 5000221; rev:3;)

0 comments on commit 8c8bab0

Please sign in to comment.