Which of the following snort rules look for FTP root login attempts?

Which of the following snort rules look for FTP root login attempts?
A . alert tcp -> any port 21 (msg:"user root";)
B . alert tcp -> any port 21 (message:"user root";)
C . alert ftp -> ftp (content:"user password root";)
D . alert tcp any any -> any any 21 (content:"user root";)

View Answer

Answer: D

Explanation:

The snort rule header is built by defining action (alert), protocol (tcp), from IP subnet port (any any), to IP subnet port (any any 21), Payload Detection Rule Options (content:”user root”;)