2 replies

Snort Struggles: How to detect the FTP service name?

I am muddling through learning Snort and feeling a bit daft. I'm trying to write a rule that allows me to detect the FTP service name used in a .pcap.

I analyzed the .pcap with

sudo snort -c local.rules -A full -l . -r ftp-png-gif.pcap

sudo snort -c local.rules -A full -l . -r ftp-png-gif.pcap

sudo snort -c local.rules -A full -l . -r ftp-png-gif.pcap

sudo snort -c local.rules -A full -l . -r ftp-png-gif.pcap

I looked up some ways to find the ftp service name and I found a few like

sudo snort -r snort.log.1671731339 -X -n 10

sudo snort -r snort.log.1671731339 -X -n 10

sudo snort -r snort.log.1671731339 -X -n 10

sudo snort -r snort.log.1671731339 -X -n 10 which would probably do the trick, but I'm not sure why. I get that -X has something do the preprocessor, but I'm not sure why this outputs anything with FTP, or how to find where the FTP service name is in the output.

Snort Struggles: How to detect the FTP service name?

Similar Threads

Similar Threads

Similar Threads