alert tcp $HOME_NET [0:20,22:24,26:118,120:138,140:444,446:464,466:586,588:901,903:1432,1434:65535] -> any any (msg:"ET MALWARE Suspicious FTP 220 Banner on Local Port (spaced)"; flow:from_server,established; content:"220 "; depth:4; reference:url,doc.emergingthreats.net/2011124; classtype:non-standard-protocol; sid:2011124; rev:14;) Added 2011-12-30 19:58:58 UTC The source port of this rule exceeds 64 characters and will cause some versions of snort to crash. In addition, Sourcefire sensors are not likely to import this rule correctly which could lead to other detection issues. -- DjThomason - 31 Jul 2012 Hits on PDF files regularly. I suggest adding content: !"%pdf" or similar -- MattNewham - 07 Jan 2013
alert tcp $HOME_NET [0:20,22:24,26:118,120:138,140:444,446:464,466:586,588:901,903:1432,1434:65535] -> any any (msg:"ET MALWARE Suspicious FTP 220 Banner on Local Port (spaced)"; flow:from_server,established; content:"220 "; depth:4; reference:url,doc.emergingthreats.net/2011124; classtype:non-standard-protocol; sid:2011124; rev:14;) Added 2011-12-30 19:24:07 UTC
alert tcp $HOME_NET [0:20,22:24,26:118,120:138,140:444,446:464,466:586,588:901,903:1432,1434:65535] -> any any (msg:"ET MALWARE Suspicious FTP 220 Banner on Local Port (spaced)"; flow:from_server,established; content:"220 "; depth:4; reference:url,doc.emergingthreats.net/2011124; classtype:non-standard-protocol; sid:2011124; rev:14;) Added 2011-12-30 18:03:21 UTC
alert tcp $HOME_NET [0:20,22:24,26:138,140:444,446:464,466:586,588:901,903:1432,1434:65535] -> any any (msg:"ET MALWARE Suspicious FTP 220 Banner on Local Port (spaced)"; flow:from_server,established; content:"220 "; depth:4; content:!"VMware Authentication Daemon"; depth:32; reference:url,doc.emergingthreats.net/2011124; classtype:non-standard-protocol; sid:2011124; rev:12;) Added 2011-10-12 19:31:22 UTC False positiv on Exchange on non-standard port and preprocessor not expecting it: 220 mail.example.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.1830 ready at Wed, 23 Nov 2011 13:48:23 -0100 -- MrKrugger? - 23 Nov 2011
alert tcp $HOME_NET [0:20,22:24,26:138,140:444,446:464,466:586,588:901,903:1432,1434:65535] -> any any (msg:"ET MALWARE Suspicious FTP 220 Banner on Local Port (spaced)"; flow:from_server,established; content:"220 "; depth:4; content:!"VMware Authentication Daemon"; depth:32; classtype:non-standard-protocol; reference:url,doc.emergingthreats.net/2011124; sid:2011124; rev:12;) Added 2011-09-14 22:44:34 UTC
alert tcp $HOME_NET [0:20,22:24,26:138,140:444,446:464,466:586,588:901,903:1432,1434:65535] -> any any (msg:"ET MALWARE Suspicious FTP 220 Banner on Local Port (spaced)"; flow:from_server,established; content:"220 "; depth:4; content:!"VMware Authentication Daemon"; depth:32; classtype:non-standard-protocol; reference:url,doc.emergingthreats.net/2011124; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Off_Port_FTP; sid:2011124; rev:12;) Added 2011-03-10 16:05:16 UTC
alert tcp $HOME_NET [0:20,22:24,26:138,140:444,446:464,466:586,588:901,903:1432,1434:65535] -> any any (msg:"ET MALWARE Suspicious FTP 220 Banner on Local Port (spaced)"; flow:from_server,established; content:"220 "; depth:4; classtype:non-standard-protocol; reference:url,doc.emergingthreats.net/2011124; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Off_Port_FTP; sid:2011124; rev:11;) Added 2011-02-04 17:30:52 UTC
alert tcp $HOME_NET [0:20,22:24,26:464,466:586,588:901,903:65535] -> any any (msg:"ET MALWARE Suspicious FTP 220 Banner on Local Port (spaced)"; flow:from_server,established; content:"220 "; depth:4; classtype:non-standard-protocol; reference:url,doc.emergingthreats.net/2011124; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Off_Port_FTP; sid:2011124; rev:10;) Added 2010-06-09 18:46:01 UTC
alert tcp $HOME_NET [0:20,22:24,26:464,466:586,588:901,903:65535] -> any any (msg:"ET MALWARE Suspicious FTP 220 Banner on Local Port (spaced)"; flow:from_server,established; content:"220 "; depth:4; classtype:non-standard-protocol; reference:url,doc.emergingthreats.net/2011124; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Off_Port_FTP; sid:2011124; rev:10;) Added 2010-06-09 18:46:01 UTC
alert tcp $HOME_NET [0:20,22:24,26:464,466:586,588:901,903:65535] -> any any (msg:"ET MALWARE Suspicious FTP 220 Banner on Local Port (spaced)"; flow:from_server,established; content:"220 "; depth:5; classtype:non-standard-protocol; reference:url,doc.emergingthreats.net/2011124; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Off_Port_FTP; sid:2011124; rev:9;) Added 2010-05-26 20:00:58 UTC
alert tcp $HOME_NET [0:20,22:24,26:464,466:586,588:901,903:65535] -> any any (msg:"ET MALWARE Suspicious FTP 220 Banner on Local Port (spaced)"; flow:from_server,established; content:"220 "; depth:5; classtype:non-standard-protocol; reference:url,doc.emergingthreats.net/2011124; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Off_Port_FTP; sid:2011124; rev:9;) Added 2010-05-26 20:00:58 UTC
alert tcp $HOME_NET [0:20,22:24,26:901,903:65535] -> any any (msg:"ET MALWARE Suspicious 220 Banner on Local Port (spaced)"; flow:from_server,established; content:"220 "; depth:5; classtype:non-standard-protocol; reference:url,doc.emergingthreats.net/2011124; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Off_Port_FTP; sid:2011124; rev:8;) Added 2010-05-23 22:46:03 UTC
alert tcp $HOME_NET [0:20,22:24,26:901,903:65535] -> any any (msg:"ET MALWARE Suspicious 220 Banner on Local Port (spaced)"; flow:from_server,established; content:"220 "; depth:5; classtype:non-standard-protocol; reference:url,doc.emergingthreats.net/2011124; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Off_Port_FTP; sid:2011124; rev:8;) Added 2010-05-23 22:46:03 UTC
alert tcp $HOME_NET [0:20,22:24,26:901,903:65535] -> any any (msg:"ET MALWARE Suspicious 220 Banner on Local Port (spaced)"; flow:from_server,established; content:"220 "; depth:5; classtype:non-standard-protocol; sid:2011124; rev:7;) Added 2010-05-22 01:53:28 UTC
alert tcp $HOME_NET [0:20,22:24,26:901,903:65535] -> any any (msg:"ET MALWARE Suspicious 220 Banner on Local Port (spaced)"; flow:from_server,established; content:"220 "; depth:5; classtype:non-standard-protocol; sid:2011124; rev:7;) Added 2010-05-22 01:53:28 UTC
alert tcp $HOME_NET 21:902 -> any any (msg:"ET MALWARE Suspicious 220 Banner on Local Port (spaced)"; flow:from_server,established; content:"220 "; depth:5; classtype:non-standard-protocol; reference:url,doc.emergingthreats.net/bin/view/Main/2003055; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Off_Port_FTP; sid:2011124; rev:6;) Added 2010-05-20 10:46:05 UTC
alert tcp $HOME_NET 21:902 -> any any (msg:"ET MALWARE Suspicious 220 Banner on Local Port (spaced)"; flow:from_server,established; content:"220 "; depth:5; classtype:non-standard-protocol; reference:url,doc.emergingthreats.net/bin/view/Main/2003055; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Off_Port_FTP; sid:2011124; rev:6;) Added 2010-05-20 10:43:59 UTC
Topic revision: r4 - 2013-01-07 - MattNewham
Main Web
Create New Topic
Index
Search
Changes
Preferences- User Reference
- ATasteOfTWiki
- TextFormattingRules
- Signature Reference
- WebRss Feed
- EmergingFAQ
 |
|
Copyright © Emerging Threats