[Snort-sigs] SID 354: FTP ISS SCAN
braker at ...307...
Sat Jan 26 11:24:05 EST 2002
# SORRY Guys, the Rule wasn't added to Snort-DB last time, maybe because
# of attachments... So I Try this a second time.. without att.
# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others. References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
Summary: ISS - Internet Security Scanner FTP-Access Check
Impact: Any FTP Server which allows write/execute to account 'ftp' or
Detailed Information: Internet Security Scanner tries to find
directories where the write/execute flag is set for anonymous accounts.
These accounts are usually 'ftp' or 'anonymous'. The string iss at ...318...
is the password, ISS tries, if a password is required for those
Attack Scenarios: Someone definetly scans you, by using Internet
Ease of Attack: ISS is commercially avaible and you can buy a license to
scan special networks or hosts.
False Negatives: You can change the default password string when
scanning for weak anonymous accounts. And you won't find ISS scanning
you but ISS will also trigger some more signatures.
Corrective Action: Disable write/execute access to anonymous accounts
like 'ftp' or 'anonymous'.
More information about the Snort-sigs