01-30-2007 12:57 AM - edited 03-10-2019 03:26 AM
This signatures seems to fire towards FTP servers with a welcome message before the login prompt.
E.g.
Connected to 127.0.0.1.
220-##
220-##
220-*--------------------------------------------------------------------------------*
220-*--------------------------------------------------------------------------------*
220-##
220-##
220
-> USER Administrator
331 Please specify the password.
-> PASS blaha
530 Login incorrect.
...
Are these signatures really looking for the response code 230?
Solved! Go to Solution.
03-16-2007 09:26 AM
We listen. Have a good weekend. :-)
01-30-2007 05:23 AM
The signatures look for users "root" or "administrator" attempting to login to an ftp server, successful or not.
01-30-2007 07:09 AM
Ah ok. (It was the MARS Category string that fooled me.)
Is there a way to tune these signatures into only detecting successful logins?
01-30-2007 11:08 AM
The thinking here is that anyone trying to log into an ftp server as root or administrator is generally not a good thing.
That said, you couldn't tune 3171 itself, but you could use it along with a custom signature and combine the two into a meta sig.
Create a custom signature for the 230 login successful:
in string.tcp, from port 21
regex 230\x20[Uu][Ss][Ee][Rr]\x20
swap attacker/victim
(you may choose to suppress the "produce-alert" action for this signature)
Combine 3171-0, and the newly created created "230" sig into another custom signature in the META engine.
3171-0 and your sig are components that appear in that order, meta key AxBx (attacker and victim addresses)
01-30-2007 11:20 AM
"The thinking here is that anyone trying to log into an ftp server as root or administrator is generally not a good thing."
True, but if you have a sensor in front of an Internet facing FTP server...you WILL see attempts to login with the root/admin account. Having a sig for that is still good and users should be able to choose whether they want alarms. However, I would second a request to have Cisco write a signature to detect successful root/admin ftp logins. Much more meaningful and actionable in my opinion.
03-16-2007 06:48 AM
It looks like Cisco is listening;-)
I haven't tested or even looked at said signatures, but the latest sig update(S276) appears to have a sig to detect successful privileged FTP logins:
5.x,6.x 5847.0 FTP Successful Privileged Login META Low True
5.x,6.x 5847.1 FTP Successful Privileged Login META Low True
Thanks wsulym.
03-16-2007 09:26 AM
We listen. Have a good weekend. :-)
03-20-2007 05:20 AM
Very nice! :)
03-21-2007 02:36 AM
Looking at signature 5846 (FTP 230 Reply Code) and the regexp "230 [Uu][Ss][Ee][Rr] ".
A FTP server is not enforced to have the string User after a 230 response code.. so this signature will only detect successful logins to some FTP servers :(.
04-03-2007 11:29 AM
You are correct, per RFC, all that's required is the "230" reply - the rest makes it easy for carbon-based lifeforms to understand and is optional. A more RFC conforming change to that sig will be in the next update.
04-04-2007 07:21 AM
Great :)
Another meta signature that would be useful is something like "FTP Successful brute force". Consisting of signatures 6250 (FTP Auth. Failure) and 5846 (FTP 230 Reply Code) to detect successful brute force attempts.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide