header bg

Question:

Which of the following rules are correct for this situation:
You are configuring Snort rules and want an alert message of "Attempted FTP" on any FTP packet originating from an outside IP and destined for one of your internal hosts.

A alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:″Attempted FTP″)
Explaination

The syntax for Snort rules is the same: action protocol src address src port -> dest address port (options).