[Snort-sigs] SID 354: FTP ISS SCAN

Maxim Gansert braker at ...307...
Sat Jan 26 11:24:05 EST 2002


# SORRY Guys, the Rule wasn't added to Snort-DB last time, maybe because
# of attachments... So I Try this a second time.. without att.
#
# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
#
# $Id$
#
#

Rule:

--
Sid: 354

--
Summary: ISS - Internet Security Scanner FTP-Access Check

--
Impact: Any FTP Server which allows write/execute to account 'ftp' or
'anonymous'

--
Detailed Information: Internet Security Scanner tries to find
directories where the write/execute flag is set for anonymous accounts.
These accounts are usually 'ftp' or 'anonymous'.  The string iss at ...318...
is the password, ISS tries, if a password is required for those
accounts.

--
Attack Scenarios: Someone definetly scans you, by using Internet
Security Scanner.

--
Ease of Attack: ISS is commercially avaible and you can buy a license to
scan special networks or hosts.

--
False Positives:

--
False Negatives: You can change the default password string when
scanning for weak anonymous accounts. And you won't find ISS scanning
you but ISS will also trigger some more signatures.

--
Corrective Action: Disable write/execute access to anonymous accounts
like 'ftp' or 'anonymous'.

--
Contributors:

--
Additional References:




More information about the Snort-sigs mailing list