[Snort-sigs] Sig to locate rogue ftp servers

O'Flynn, Derek DOFlyn at ...466...
Wed Feb 12 08:28:02 EST 2003

Try this rule.  I have been using it for the past few months, and have not
seen many false positives.  It has the old flags usage because it was
written awhile back and I haven't bothered changing it to flow yet. I assume
flow:from_server,established; would work as a replacement.

331 is the command given after a successful user login.

alert tcp $HOME_NET !21 -> $EXTERNAL_NET any (msg:"FTP FTP on non-standard
FTP port"; flags:AP; content:"331 "; depth:4; classtype:policy-violation;)


-----Original Message-----
From: Jukka Juslin [mailto:jtjuslin at ...1151...] 
Sent: Wednesday, February 12, 2003 8:47 AM
To: Jon
Cc: snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] Sig to locate rogue ftp servers

Dear Jon,

I don't think this rule really works. I get 100's of false positives each
day. Your ssh rule is good, though, because ssh is easy to recognize with
the SSH- in the header. I had similar rule in use before you posted yours.

I wouldn't recomment using this rule. Comments?


Jukka Juslin (M.Sc.)

On Sun, 9 Feb 2003, Jon wrote:

->I'm using the following rule to hopefully track down rogue ftp servers
->running on high ports on our (windows) machines.
->alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"FTP on non-standard
->port"; flow:from_server,established; content:"220"; depth:3;
->classtype:bad-unknown; sid:100002;)
->Its not foolproof, but in a little testing it seems to catch what I'm
->looking for.  I initially was using a source port range of "!21", but
->that it triggered on port 25 with mail.  I thought of using "!21:25", but
->had this dirty feeling that there are dozens of services that typically
->on ports 0:1024 that gives 220-ish responses that I don't know of.
->This SF.NET email is sponsored by:
->SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
->Snort-sigs mailing list
->Snort-sigs at lists.sourceforge.net


This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20030212/13dfc4e1/attachment.html>

More information about the Snort-sigs mailing list