Snort Struggles: How to detect the FTP service name?
I am muddling through learning Snort and feeling a bit daft. I'm trying to write a rule that allows me to detect the FTP service name used in a .pcap.
I analyzed the .pcap with
sudo snort -c local.rules -A full -l . -r ftp-png-gif.pcap
I looked up some ways to find the ftp service name and I found a few like sudo snort -r snort.log.1671731339 -X -n 10 which would probably do the trick, but I'm not sure why. I get that -X has something do the preprocessor, but I'm not sure why this outputs anything with FTP, or how to find where the FTP service name is in the output.2 Replies
Post created!
🔎 This post has been indexed in our web forum and will be seen by search engines so other users can find it outside Discord
🕵️ Your user profile is private by default and won't be visible to users outside Discord, if you want to be visible in the web forum you can add the "Public Profile" role in <id:customize>
✅ You can mark a message as the answer for your post with
Right click -> Apps -> Mark Solution
(if you don't see the option, try refreshing Discord with Ctrl + R)
UPDATE:
I used the
sudo snort -r snort.log.1671731339 -X -n 10 command and got results for the 10 packets that look like this. As you can see, I found a packet that said 220 Microsoft FTP Service, but I still don't know why this worked or how they knew the answer would be within 10 packets of the log.