Snort Rule Engineer

📡 Threat: Brute Force Detected

A botnet is trying to access the company servers through the FTP protocol (Port 21), using unencrypted connections and trying to log in with the root user.

Write a complete Snort rule that generates an alert when it detects the payload USER root heading to our local network ($HOME_NET).