[Snort-sigs] nmap -b snort rule
cress1 at ...518...
Mon Jan 27 11:23:03 EST 2003
Hello, I'm trying to write a rule that will catch the nmap -b (ftp bounce
I've tried the following rule which I believe will create too many false
alarms. Any better suggestions would be greatly appreciated:
alert tcp $HOME_NET 20 -> any any (msg:"possible FTP bounce scan";
content:"total"; nocase; depth: 10; rev:2;)
The nmap ftp bounce scan takes the following steps:
1) Attack Host (AH) logs into some Ftp Server (FS)
2) AH instructs FS to change ports and IP address (to your Victim Host(VH)) to
send commands to, via a 'PORT' command.
3) FS performs the 3-way-handshake from the ftp-data port (20) with the VH
port (the one you specified from the nmap command line).
4) FS responds to AH with a '150 ASCII data connection for (VH,port) (0
5) FS sends a directory listing to the VH on the port
the first line of which is 'total' a space and the number of items in
your home directory on the FS. Followed by an ls -l style list of your home
6) VH ACKs the transfer and then FS closes the connection gracefully.
I guess some sort of 'stateful' alarm from the AH's $HOME_NET that watched for
ftp connections followed by PORT commands to another host, would be the best
solution, but I don't belive snort has this kind of capability (please correct
me if i'm wrong). Both of the alerts I composed above fire during the course
of the scan (so they "work") but I believe they'll also fire any time an ftp
server sends a directory listing anywhere via port the default data port 20.
Basically my rule attempts will likely produce a lot of false positives. Does
anyone have any suggestions for a better work around? or a better alert?
Thanks for your help.
More information about the Snort-sigs