Which of the following snort rules look for FTP root login attempts?
A.
alert ftp -> ftp (content:"user password root";)
B.
alert tcp any any -> any any 21 (content:"user root";)
C.
alert tcp -> any port 21 (message:"user root";)
D.
alert tcp -> any port 21 (msg:"user root";)
Explanation:
The snort rule header is built by defining action (alert), protocol (tcp), from IP subnet port (any any), to IP subnet port (any any 21), Payload Detection Rule Options (content:"user root "; )