[Snort-sigs] Sig to locate rogue ftp servers
bmc at ...95...
Wed Feb 12 14:00:15 EST 2003
On Wed, Feb 12, 2003 at 10:27:34AM -0600, O'Flynn, Derek wrote:
> Try this rule. I have been using it for the past few months, and have not
> seen many false positives. It has the old flags usage because it was
> written awhile back and I haven't bothered changing it to flow yet. I assume
> flow:from_server,established; would work as a replacement.
> 331 is the command given after a successful user login.
> alert tcp $HOME_NET !21 -> $EXTERNAL_NET any (msg:"FTP FTP on non-standard
> FTP port"; flags:AP; content:"331 "; depth:4; classtype:policy-violation;)
You are correct, using flow:from_server,established; would be what
should be used. Your message states FTP 3 times. If I were to look at
adding a rule like that I would probably go with "POLICY FTP on non-standard
port" as a message.
More information about the Snort-sigs