[Snort-sigs] Signature 354

Maxim Gansert braker at ...307...
Thu Jan 24 13:19:06 EST 2002


regards
-------------- next part --------------
# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work. 
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# 
# $Id$
#
# 

Rule:  

--
Sid: 354

--
Summary: ISS - Internet Security Scanner FTP-Access Check

--
Impact: Any FTP Server which allows write/execute to account 'ftp' or 'anonymous'

--
Detailed Information: Internet Security Scanner tries to find directories where the write/execute flag is set for anonymous accounts. These accounts are usually 'ftp' or 'anonymous'.  The string iss at ...318... is the password, ISS tries, if a password is required for those accounts.

--
Attack Scenarios: Someone definetly scans you, by using Internet Security Scanner.

--
Ease of Attack: ISS is commercially avaible and you can buy a license to scan special networks or hosts.

--
False Positives:

--
False Negatives: You can change the default password string when scanning for weak anonymous accounts. And you won't find ISS scanning you but ISS will also trigger some more signatures.

--
Corrective Action: Disable write/execute access to anonymous accounts like 'ftp' or 'anonymous'.

--
Contributors:

-- 
Additional References:


More information about the Snort-sigs mailing list