[Snort-sigs] Signature Definition #489, 7 of 20

Esler, Joel Contractor EslerJ at ...785...
Mon Jun 9 05:28:06 EDT 2003

 Rule: -- INFO FTP No Password   
 Sid: -- 489 
 Summary: -- This string detects the command "pass" with no entry afterwards
 Impact: -- If you have unknown anonymous login boxes on your network, this
will help you remedy that.
 Detailed Information: -- If an attempt to login to an FTP Server without a
password could indicate an unauthorized or weakly set up FTP server.  All
FTP Servers should be set up with Username/password authentication.
 Affected Systems: -- Unauthroized or weak FTP Servers
 Attack Scenarios: -- Reconnasiance
 Ease of Attack: -- Easy
 False Positives: -- Internet Explorer, when used to login to an FTP Server,
it first attempts to login as "blank", then as "IEUser at ...1577...", Unknown if other
FTP Programs trigger the same thing
 False Negatives: -- Unknown
 Corrective Action: -- Find and disable unauthorized FTP Servers, secure
authorized FTP Servers by removing anonymous logins and require
username/password authentication
 Contributors: -- Joel Esler
 Additional References: arachnids,322

More information about the Snort-sigs mailing list