[Snort-sigs] Sig to locate rogue ftp servers

Jukka Juslin jtjuslin at ...1151...
Wed Feb 12 23:28:04 EST 2003

On Wed, 12 Feb 2003, Brian wrote:

->On Wed, Feb 12, 2003 at 10:27:34AM -0600, O'Flynn, Derek wrote:
->> Try this rule.  I have been using it for the past few months, and have not
->> seen many false positives.  It has the old flags usage because it was
->> written awhile back and I haven't bothered changing it to flow yet. I assume
->> flow:from_server,established; would work as a replacement.
->> 331 is the command given after a successful user login.
->> alert tcp $HOME_NET !21 -> $EXTERNAL_NET any (msg:"FTP FTP on non-standard
->> FTP port"; flags:AP; content:"331 "; depth:4; classtype:policy-violation;)
->You are correct, using flow:from_server,established; would be what
->should be used.  Your message states FTP 3 times.  If I were to look at
->adding a rule like that I would probably go with "POLICY FTP on non-standard
->port" as a message.

I get alerts based on ftp-data 20/tcp also by this rule. And that is a
standard port. Can I put !21!20 to the rule? Didn't find from rule guide,
maybe looked too quickly.


More information about the Snort-sigs mailing list