[Snort-sigs] Sig to locate rogue ftp servers
warchild at ...288...
Sun Feb 9 18:30:05 EST 2003
I'm using the following rule to hopefully track down rogue ftp servers
running on high ports on our (windows) machines.
alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"FTP on non-standard
port"; flow:from_server,established; content:"220"; depth:3;
Its not foolproof, but in a little testing it seems to catch what I'm
looking for. I initially was using a source port range of "!21", but found
that it triggered on port 25 with mail. I thought of using "!21:25", but
had this dirty feeling that there are dozens of services that typically run
on ports 0:1024 that gives 220-ish responses that I don't know of.
More information about the Snort-sigs