[Snort-sigs] FX-Scanner Rule
snortman at ...1143...
Wed Feb 11 09:19:10 EST 2004
alert tcp any any -> $FTP_SERVERS 21 (flow:established,to_server;
content:"PASS ano at ...2218..."; nocase;
reference:url,http\://fxpcenter.inet-e.de/scanner.html; msg:"FX -Scanner
FTP Access"; classtype:network-scan; sid:1000004; rev:4;)
Simple rule to detect an FX-Scanner Scan. From watch the snort alerts
it appears that the user probably can change the anonymous login
password, but they seldom ever do.
More information about the Snort-sigs