[Snort-sigs] Signature Definition #489, 7 of 20
Esler, Joel Contractor
EslerJ at ...785...
Mon Jun 9 05:28:06 EDT 2003
Rule: -- INFO FTP No Password
Sid: -- 489
Summary: -- This string detects the command "pass" with no entry afterwards
Impact: -- If you have unknown anonymous login boxes on your network, this
will help you remedy that.
Detailed Information: -- If an attempt to login to an FTP Server without a
password could indicate an unauthorized or weakly set up FTP server. All
FTP Servers should be set up with Username/password authentication.
Affected Systems: -- Unauthroized or weak FTP Servers
Attack Scenarios: -- Reconnasiance
Ease of Attack: -- Easy
False Positives: -- Internet Explorer, when used to login to an FTP Server,
it first attempts to login as "blank", then as "IEUser at ...1577...", Unknown if other
FTP Programs trigger the same thing
False Negatives: -- Unknown
Corrective Action: -- Find and disable unauthorized FTP Servers, secure
authorized FTP Servers by removing anonymous logins and require
Contributors: -- Joel Esler
Additional References: arachnids,322
More information about the Snort-sigs