[Snort-sigs] nmap -b snort rule

cress1 cress1 at ...518...
Mon Jan 27 11:23:03 EST 2003


Hello, I'm trying to write a rule that will catch the nmap -b (ftp bounce 
scan). 
I've tried the following rule which I believe will create too many false 
alarms. Any better suggestions would be greatly appreciated:

alert tcp $HOME_NET 20 -> any any (msg:"possible FTP bounce scan";  
content:"total"; nocase; depth: 10; rev:2;)

The nmap ftp bounce scan takes the following steps:
1) Attack Host (AH) logs into some Ftp Server (FS)
2) AH instructs FS to change ports and IP address (to your Victim Host(VH)) to 
send commands to, via a 'PORT' command.
3) FS performs the 3-way-handshake from the ftp-data port (20) with the VH 
port (the one you specified from the nmap command line).
4) FS responds to AH with a '150 ASCII data connection for (VH,port) (0 
bytes)'
5) FS sends a directory listing to the VH on the port
     the first line of which is 'total' a space and the number of items in 
your home directory on the FS. Followed by an ls -l style list of your home 
dir.
6) VH ACKs the transfer and then FS closes the connection gracefully.

I guess some sort of 'stateful' alarm from the AH's $HOME_NET that watched for 
ftp connections followed by PORT commands to another host, would be the best 
solution, but I don't belive snort has this kind of capability (please correct 
me if i'm wrong).  Both of the alerts I composed above fire during the course 
of the scan (so they "work") but I believe they'll also fire any time an ftp 
server sends a directory listing anywhere via port the default data port 20.

Basically my rule attempts will likely produce a lot of false positives. Does 
anyone have any suggestions for a better work around? or a better alert?

Thanks for your help. 
--doug ><>





More information about the Snort-sigs mailing list