I am facing issue with signature match for the traffic without handshake signals
I wrote following signature
signature ftp_220response {
ip-proto == tcp
payload /[\n\r ](120|220)[^0-9].\r\n/
event “FTP Response 220 matched”
}
this signature match will happen for the traffic with initial SYN,SYN-ACK, and ACK followed by the 220 response FTP packet,
but if I gave the traffic without the initial handshakes (i.e. only the 220 response FTP packet ) the same signature will not match, but the signature without line “ip-proto == tcp” will work i.e.
signature ftp_220response {
payload /[\n\r ](120|220)[^0-9].\r\n/
event “FTP Response 220 matched”
}
the above signature will work for the both the cases(with and without handshake packets), but i am curious to know why the signatures with the line “ip-proto == tcp” will not work for the asymmetric case.
is it the desired way of working??
-Sri