[Snort-sigs] False negatives on 1:491:6 (INFO FTP Bad login)

nnposter at ...592... nnposter at ...592...
Mon May 10 10:02:09 EDT 2004


Rule: INFO FTP Bad login

--
Sid: 491

--
Summary:

--
Impact:

--
Detailed Information:

--
Affected Systems:

--
Attack Scenarios:

--
Ease of Attack:

--
False Positives:

--
False Negatives:

Current version of the rule will not detect failed FTP logins for IIS 4
and IIS 5 servers because it expects word "Login" after status code 530.

Connected to ftp.foo.com.
220 ftp.foo.com Microsoft FTP Service (Version 5.0).
User (ftp.foo.com:(none)): someuser
331 Password required for someuser.
Password:
530 User someuser cannot log in.
Login failed.

--
Corrective Action:

--
Contributors:

-- 
Additional References:



The following proposed revision will utilize PCRE to accommodate
alternative status wordings:

alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"INFO FTP Bad login";
content:"530 "; pcre:"/^530\s+(Login|User)\s/smi";
flow:from_server,established; classtype:bad-unknown; sid:491; rev:7;)




More information about the Snort-sigs mailing list