[Snort-sigs] What is "FTP file_id.diz access" about?

Matt Kettler mkettler at ...189...
Wed Jan 22 15:04:05 EST 2003


At 02:55 PM 1/22/2003 -0700, Jim Forster wrote:
>The FILE_ID.DIZ file is just a straight ASCII text file which contains a 
>description of the archive. It is normally placed inside the distribution 
>archive (ZIP) file, so that it travels with the product no matter where it 
>is distributed.  The FILE_ID.DIZ file, as defined by its creators (Clark 
>Development), is a file generated by the program author, and many BBS and 
>online services extract it from uploaded archives automatically.
Agreed, I understand fully what a file_id.diz is.



>We don't use these file descriptors on our servers for any reason, so I 
>should never see them, and haven't had a false yet.
>I have picked up 3 different servers that our clients had left anon FTP 
>open on that it tagged on.  (The 'anon' users tagged their files with this 
>outside the zip so it was easier to tell what it was), so I still keep it 
>in place on all but one of our sensors.
>YMMV. :)

Actually the signature will not detect a server at your site that has a 
file_id.diz on it, it will detect a *client* at your site accessing a 
file_id.diz file on an external server. Of course, if you have EXTERNAL_NET 
set to any that part of the rule is obviously not going to be noticeable to 
you.

Look closely at the rule:

alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"FTP file_id.diz access"; 
flow:to_server,established; content:"RETR "; nocase; content:"file_id.diz"; 
nocase;
  classtype:misc-activity; sid:1445;  rev:2;)

Note this is from a HOME_NET client to an EXTERNAL_NET server.

I can't see any significant value in detecting a local client opening such 
a file on a remote server.

Now if I did run a local FTP server, and did not have any file_id.diz files 
on it, I could see the reverse of this rule being useful to detect if warez 
guys take over my ftp server. This seems to be what you think the rule 
does, but the rule to do that would be:

alert tcp  $EXTERNAL_NETany -> $HOME_NET 21 (msg:"FTP file_id.diz access"; 
flow:to_server,established; content:"RETR "; nocase; content:"file_id.diz"; 
nocase;
  classtype:misc-activity; sid:1000001;  rev:1;)










More information about the Snort-sigs mailing list