[Snort-sigs] Signature Definition #359, 3 of 20

Esler, Joel Contractor EslerJ at ...785...
Mon Jun 9 05:12:12 EDT 2003

 Rule: -- FTP satan scan 
 Sid: -- 359
 Summary: -- This signature detects a Satan Scan scanning to any box on the
network to port 21.  The Satan Scanner uses the string "satan" as a password
to login to an FTP Server
 Impact: -- If you have unknown anonymous login boxes on your network, this
will help you remedy that.
 Detailed Information: -- Satan Scanner is a vulnerability detection tool
that attempts logins to network boxes on port 21.  For a password the Satan
Scanner will use the string "pass -satan".
 Affected Systems: -- FTP Servers known or unknown with anonymous login
 Attack Scenarios: -- 
 Ease of Attack: -- Easy
 False Positives: -- If a user uses the password string "satan" upon FTP
login it can trigger this signature
 False Negatives: -- 
 Corrective Action: -- Disable anonymous login on FTP Servers and require
users to authenticate with a secure password.  Block offending IP's at the
 Contributors: -- Joel Esler
 Additional References: arachnids,329

More information about the Snort-sigs mailing list