[Snort-sigs] False negatives on 1:491:6 (INFO FTP Bad login)

nnposter at ...592... nnposter at ...592...
Mon May 10 10:02:09 EDT 2004

Rule: INFO FTP Bad login

Sid: 491



Detailed Information:

Affected Systems:

Attack Scenarios:

Ease of Attack:

False Positives:

False Negatives:

Current version of the rule will not detect failed FTP logins for IIS 4
and IIS 5 servers because it expects word "Login" after status code 530.

Connected to ftp.foo.com.
220 ftp.foo.com Microsoft FTP Service (Version 5.0).
User (ftp.foo.com:(none)): someuser
331 Password required for someuser.
530 User someuser cannot log in.
Login failed.

Corrective Action:


Additional References:

The following proposed revision will utilize PCRE to accommodate
alternative status wordings:

alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"INFO FTP Bad login";
content:"530 "; pcre:"/^530\s+(Login|User)\s/smi";
flow:from_server,established; classtype:bad-unknown; sid:491; rev:7;)

More information about the Snort-sigs mailing list