[Snort-sigs] Sig to locate rogue ftp servers

Jukka Juslin jtjuslin at ...1151...
Wed Feb 12 06:48:07 EST 2003

Dear Jon,

I don't think this rule really works. I get 100's of false positives each
day. Your ssh rule is good, though, because ssh is easy to recognize with
the SSH- in the header. I had similar rule in use before you posted yours.

I wouldn't recomment using this rule. Comments?


Jukka Juslin (M.Sc.)

On Sun, 9 Feb 2003, Jon wrote:

->I'm using the following rule to hopefully track down rogue ftp servers
->running on high ports on our (windows) machines.
->alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"FTP on non-standard
->port"; flow:from_server,established; content:"220"; depth:3;
->classtype:bad-unknown; sid:100002;)
->Its not foolproof, but in a little testing it seems to catch what I'm
->looking for.  I initially was using a source port range of "!21", but found
->that it triggered on port 25 with mail.  I thought of using "!21:25", but
->had this dirty feeling that there are dozens of services that typically run
->on ports 0:1024 that gives 220-ish responses that I don't know of.
->This SF.NET email is sponsored by:
->SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
->Snort-sigs mailing list
->Snort-sigs at lists.sourceforge.net


More information about the Snort-sigs mailing list