[Snort-sigs] Sig to locate rogue ftp servers

Jon warchild at ...288...
Sun Feb 9 18:30:05 EST 2003


Greetings,

I'm using the following rule to hopefully track down rogue ftp servers
running on high ports on our (windows) machines. 

alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"FTP on non-standard
port"; flow:from_server,established; content:"220"; depth:3;
classtype:bad-unknown; sid:100002;)

Its not foolproof, but in a little testing it seems to catch what I'm
looking for.  I initially was using a source port range of "!21", but found
that it triggered on port 25 with mail.  I thought of using "!21:25", but
had this dirty feeling that there are dozens of services that typically run
on ports 0:1024 that gives 220-ish responses that I don't know of.

fyi,

-jon




More information about the Snort-sigs mailing list