[Snort-sigs] FX-Scanner Rule

snortman snortman at ...1143...
Wed Feb 11 09:19:10 EST 2004

alert tcp any any -> $FTP_SERVERS 21 (flow:established,to_server; 
content:"PASS ano at ...2218..."; nocase; 
reference:url,http\://fxpcenter.inet-e.de/scanner.html; msg:"FX -Scanner 
FTP Access"; classtype:network-scan; sid:1000004; rev:4;)

Simple rule to detect an FX-Scanner Scan.  From watch the snort alerts 
it appears that the user probably can change the anonymous login 
password, but they seldom ever do.

More information about the Snort-sigs mailing list