Right well I'm working on an IDS using Snort. To be run on the client side. At the momoent I'm trying to create alerts when certain FTP commands are issued and yet it does not seem to catch them. The rest of my rules file is fine at works for detedting portscans and logins to facebook. Heres what I've done:
preprocessor sfportscan: proto { all } scan_type { all } sense_level { medium } logfile { portscan.log }
preprocessor stream5_global: max_tcp 8192, track_tcp yes, track_udp no
preprocessor stream5_tcp: policy windows, use_static_footprint_sizes
alert TCP any any -> 66.220.144.0/20 80 (msg: "Facebook Login successful"; sid:2000000)
alert TCP any any -> any 21 (flow: to_server; content: "CDUP"; nocase; msg: "CDUP attempted"; sid:3000000)
alert TCP any any -> any 21 (flow: to_server; content: "SYST"; nocase; msg: "SYST attempted"; sid:4000000)
alert TCP any any -> any 21 (flow: to_server; content: "RMDIR"; nocase; msg: "RMDIR attempted"; sid:5000000)
alert TCP any any -> any 21 (flow: to_server; content: "DELE"; nocase; msg: "DELE attempted"; sid:6000000)
In the flow sections should it be from_client instead of to_server? saying that I don't really know much about stream5, the manual isn't much help. I can see the FTP commands appear on the commandline when snort is running and have observed with wireshark as well.