Catch the Oddities of the Protocol in the Rule

Many services typically send the commands in upper case letters. FTP is a good example. In FTP, to send the username, the client sends:

    user username_here

A simple rule to look for FTP root login attempts could be:

    alert tcp any any -> any any 21 (content:"user root";)

While it may seem trivial to write a rule that looks for the username root, a good rule will handle all of the odd things that the protocol might handle when accepting the user command.

For example, each of the following are accepted by most FTP servers:

    user root
    user root
    user root
    user root
    user<tab>root

To handle all of the cases that the FTP server might handle, the rule needs more smarts than a simple string match.

A good rule that looks for root login on ftp would be:

    alert tcp any any -> any 21 (flow:to_server,established; \
        content:"root"; pcre:"/user\s+root/i";)

There are a few important things to note in this rule:

• The rule has a flow option, verifying this is traffic going to the server on an established session.

• The rule has a content option, looking for root, which is the longest, most unique string in the attack. This option is added to allow the fast pattern matcher to select this rule for evaluation only if the content root is found in the payload.

• The rule has a pcre option, looking for user, followed at least one space character (which includes tab), followed by root, ignoring case.