Which of the following rules are correct for this situation: You are configuring Snort rules and want an alert message of "Attempted FTP" on any FTP packet originating from an outside IP and destined for one of your internal hosts.
A
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:″Attempted FTP″)
explanation
The syntax for Snort rules is the same: action protocol src address src port -> dest address port (options).
Comments