[Snort-sigs] Sig to locate rogue ftp servers

Brian bmc at ...95...
Wed Feb 12 14:00:15 EST 2003


On Wed, Feb 12, 2003 at 10:27:34AM -0600, O'Flynn, Derek wrote:
> Try this rule.  I have been using it for the past few months, and have not
> seen many false positives.  It has the old flags usage because it was
> written awhile back and I haven't bothered changing it to flow yet. I assume
> flow:from_server,established; would work as a replacement.
> 
> 331 is the command given after a successful user login.
> 
> alert tcp $HOME_NET !21 -> $EXTERNAL_NET any (msg:"FTP FTP on non-standard
> FTP port"; flags:AP; content:"331 "; depth:4; classtype:policy-violation;)

You are correct, using flow:from_server,established; would be what
should be used.  Your message states FTP 3 times.  If I were to look at
adding a rule like that I would probably go with "POLICY FTP on non-standard
port" as a message.

-brian




More information about the Snort-sigs mailing list