[Snort-sigs] nmap -b snort rule

Andreas Östling andreaso at ...58...
Wed Jan 29 07:34:04 EST 2003


On Monday 27 January 2003 20.20, cress1 wrote:
> Hello, I'm trying to write a rule that will catch the nmap -b (ftp bounce
> scan).
...
> I guess some sort of 'stateful' alarm from the AH's $HOME_NET that watched
> for ftp connections followed by PORT commands to another host, would be the
> best solution, but I don't belive snort has this kind of capability (please
> correct me if i'm wrong).  Both of the alerts I composed above fire during
> the course of the scan (so they "work") but I believe they'll also fire any
> time an ftp server sends a directory listing anywhere via port the default
> data port 20.
>
> Basically my rule attempts will likely produce a lot of false positives.
> Does anyone have any suggestions for a better work around? or a better
> alert?

I once wrote a preprocessor to detect some ftp PORT bouncing by using the 
method you describe above. As usual, it contains some fatal bugs and was 
never finished... but perhaps it could give a few ideas.
There is an old snapshot on http://nitzer.dhs.org/spp_ftp_port_bounce.tar.gz

/Andreas





More information about the Snort-sigs mailing list