MIDDLETON RULES

1. # No external FTP #
2. alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"External FTP access";sid:9000900;)
3.  
4. # Download only from local FTP
5. alert tcp $EXTERNAL_NET 21 -> $HOME_NET any (msg:"Download from non-local FTP server";flow:to_client;content:"226";sid:9000901;)
6.  
7. ## FTP DICTIONARY ATTACK ##
8. # 10 Failed logins #
9. alert tcp any 21 -> any any (msg:"10 Failed FTP logins";content:"530";depth:3;detection_filter:track by_src,count 10,seconds 500;flowbits:set,ftp;sid:9000902;)
10.  
11. # Successful login after 10 failed #
12. alert tcp any 21 -> any any (msg:"Successful FTP login after 10 failed events";content:"230";flowbits:isset,ftp;flowbits:unset,ftp;sid:9000903;)
13.  
14. ### EVENT FILTERS ###
15. event_filter gen_id 1, sig_id 9000900, type limit, track by_src, count 1, seconds 20
16. event_filter gen_id 1, sig_id 9000901, type limit, track by_src, count 1, seconds 20
17. event_filter gen_id 1, sig_id 9000902, type limit, track by_src, count 1, seconds 20
18. event_filter gen_id 1, sig_id 9000903, type limit, track by_src, count 1, seconds 20