Fox'Say!12mo ago

Snort Struggles: How to detect the FTP service name?

I am muddling through learning Snort and feeling a bit daft. I'm trying to write a rule that allows me to detect the FTP service name used in a .pcap. I analyzed the .pcap with sudo snort -c local.rules -A full -l . -r ftp-png-gif.pcap I looked up some ways to find the ftp service name and I found a few like sudo snort -r snort.log.1671731339 -X -n 10 which would probably do the trick, but I'm not sure why. I get that -X has something do the preprocessor, but I'm not sure why this outputs anything with FTP, or how to find where the FTP service name is in the output.
2 Replies
Cyber Forum
Cyber Forum12mo ago
Post created!
🔎 This post has been indexed in our web forum and will be seen by search engines so other users can find it outside Discord 🕵️ Your user profile is private by default and won't be visible to users outside Discord, if you want to be visible in the web forum you can add the "Public Profile" role in <id:customize> ✅ You can mark a message as the answer for your post with Right click -> Apps -> Mark Solution (if you don't see the option, try refreshing Discord with Ctrl + R)
From An unknown user
Fox'Say!12mo ago
UPDATE: I used the sudo snort -r snort.log.1671731339 -X -n 10 command and got results for the 10 packets that look like this. As you can see, I found a packet that said 220 Microsoft FTP Service, but I still don't know why this worked or how they knew the answer would be within 10 packets of the log.
No description