Unable to submit the task for IDS 1.3 Challenge Exercise

Cyberm8 · March 25, 2024, 10:17pm

Hi Everyone,

I just completed the IDS basics exercise but I am unable to complete the challenge exercise. I have applied the first and second rules as instructed but when i click submit/complete it keeps telling me i am wrong. but I was able to achieve the outcome of the task in the lab with the same rule syntax:

alert tcp any any → any 21 (msg: “FTP Traffic Detected"; sid:4;)
alert tcp any 21 <> any any (msg: “FTP Traffic Detected”; sid:5;)
Any help will be appreciated.

image883×645 42.4 KB

JosephWhite · March 26, 2024, 1:50am

For the answer to #1, I see an arrow symbol, but it should be hyphen then greater than (->).

For both #1 and #2 remove the space between msg: and “FTP…”

Good (msg:"FTP…
Bad (msg: "FTP…

They might work fine but the grader is picky about spaces.

Cyberm8 · March 26, 2024, 3:31am

Thanks, I removed the space as advised and it passed.

GRV08 · July 9, 2024, 7:46am

Hi Joseph,

i am facing same issue :-

please help

OZcool · October 13, 2024, 10:51pm

Hi GRV08,
I had similar issues, and although I know that the Snort rule is correct, when I tried posting the answer in the answer fields, I would get red fields of death.

I was originally trying it on Chrome browser, and switched to Safari and was able to get the credits for task 1.3

JosephWhite · October 14, 2024, 4:09am

You may try using caps for FTP.

JosephWhite · October 14, 2024, 4:09am

“red fields of death” LOL

Otsm81 · November 23, 2024, 7:42pm

I am having the same issue, but if I do one at a time they show passing, but if I put them both in then they both fail.

CalmQuail2332 · November 25, 2024, 5:46pm

Just tested this lesson by inputting the correct answers together. I wasn’t able to reproduce an issue with the correct answers failing when submitted at the same time.

I would recommend double-checking the answers to confirm all of the spacing and special characters are correct.

joao-cybersecurity · March 7, 2025, 3:29pm

alert tcp any 21 <> any any (msg:“FTP Traffic Detected”; sid:4;)
alert tcp any 21 <> any any (msg:“FTP Traffic Detected”; sid:5;)

THIS IS CORRECT

JosephWhite · March 7, 2025, 4:49pm

The answer you show is not correct, but I would like to understand why you think it is correct?

If you want to argue that…

alert tcp any 21 <> any any (msg:“FTP Traffic Detected”; sid:4;)

OR

alert tcp any 21 <> any any (msg:“FTP Traffic Detected”; sid:5;)

…is sufficient to monitor FTP by itself, then I would agree. A single bi-directional rule would work.

In other words…

alert tcp any any - > any PORT (msg:“PORT Detected”; sid:4;)
alert tcp any PORT <> any any (msg:“PORT Detected”; sid:5;)

Is no better than…

alert tcp any PORT <> any any (msg:“PORT Detected”; sid:5;)

or even

alert tcp any any <> any PORT (msg:“PORT Detected”; sid:5;)

…by itself as <> will catch traffic to and from the PORT specified.