suricata rule with FTP header

771 Views Asked by At

Why this simple rule is not working

alert ftp any any -> any any (msg:"FILE PDF file claimed";
fileext:"pdf"; filestore; sid:2; rev:1;)

It could not detect any pdf file transported by filezela as example

1

There are 1 best solutions below

0
On

The most likely answer is that the dynamic protocol detection is failing to identify the connection as FTP. You may want to start with something simpler. To see if the protocol detector sees that connection as FTP, you could try this:

 alert ftp any any -> any any

With no rule options, this should generate an alert for every packet in the stream after FTP is detected.