[Snort-sigs] What is "FTP file_id.diz access" about?

Jim Forster jforster at ...11...
Wed Jan 22 15:35:03 EST 2003

We have a rather strange setup on a few sensors. :)  The rules run in a 'backwards' config to monitor those client boxes, as they are considered 'external' to the traffic generally being routed at that location.
Agreed, the rule you rewrote would be of more use to people watching incoming attacks, rather than watching users at a location going to an outside (local) client.

---==On Wed, 22 Jan 2003 18:06:25 -0500, Matt Kettler wrote==---
At 02:55 PM 1/22/2003 -0700, Jim Forster wrote:
>The FILE_ID.DIZ file is just a straight ASCII text file which contains a
>description of the archive. It is normally placed inside the distribution
>archive (ZIP) file, so that it travels with the product no matter where it
>is distributed. ?The FILE_ID.DIZ file, as defined by its creators (Clark
>Development), is a file generated by the program author, and many BBS and
>online services extract it from uploaded archives automatically.
Agreed, I understand fully what a file_id.diz is.

>We don't use these file descriptors on our servers for any reason, so I
>should never see them, and haven't had a false yet.
>I have picked up 3 different servers that our clients had left anon FTP
>open on that it tagged on. ?(The 'anon' users tagged their files with this
>outside the zip so it was easier to tell what it was), so I still keep it
>in place on all but one of our sensors.
>YMMV. :)

Actually the signature will not detect a server at your site that has a
file_id.diz on it, it will detect a *client* at your site accessing a
file_id.diz file on an external server. Of course, if you have EXTERNAL_NET
set to any that part of the rule is obviously not going to be noticeable to

Look closely at the rule:

alert tcp $HOME_NET any ->?$EXTERNAL_NET 21 (msg:"FTP file_id.diz access";
flow:to_server,established; content:"RETR "; nocase; content:"file_id.diz";
?classtype:misc-activity; sid:1445; ?rev:2;)

Note this is from a HOME_NET client to an EXTERNAL_NET server.

I can't see any significant value in detecting a local client opening such
a file on a remote server.

Now if I did run a local FTP server, and did not have any file_id.diz files
on it, I could see the reverse of this rule being useful to detect if warez
guys take over my ftp server. This seems to be what you think the rule
does, but the rule to do that would be:

alert tcp ?$EXTERNAL_NETany ->?$HOME_NET 21 (msg:"FTP file_id.diz access";
flow:to_server,established; content:"RETR "; nocase; content:"file_id.diz";
?classtype:misc-activity; sid:1000001; ?rev:1;)

This SF.net email is sponsored by: Scholarships for Techies!
Can't afford IT training? All 2003 ictp students receive scholarships.
Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more.
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net

"Some mornings, it's just not worth chewing through the leather straps."
-Emo Philips

Jim Forster, jforster at ...11... on 1/22/2003
Network Administrator
RapidNet, A Golden West Company

More information about the Snort-sigs mailing list