[Snort-sigs] FX-Scanner Rule

snortman snortman at ...1143...
Wed Feb 11 09:19:10 EST 2004


alert tcp any any -> $FTP_SERVERS 21 (flow:established,to_server; 
content:"PASS ano at ...2218..."; nocase; 
reference:url,http\://www.securityfocus.com/archive/75/299560/2002-11-10/2002-11-16/0; 
reference:url,http\://www.mynetwatchman.com/kb/security/ports/6/57.htm; 
reference:url,http\://fxpcenter.inet-e.de/scanner.html; msg:"FX -Scanner 
FTP Access"; classtype:network-scan; sid:1000004; rev:4;)

Simple rule to detect an FX-Scanner Scan.  From watch the snort alerts 
it appears that the user probably can change the anonymous login 
password, but they seldom ever do.





More information about the Snort-sigs mailing list