EmergingThreats> Main Web>2011124 (2016-07-24, JohnNaggets) EditAttach

#alert ftp $HOME_NET ![21,25,110,119,139,445,465,475,587,902,1433,2525] -> any any (msg:"ET MALWARE Suspicious FTP 220 Banner on Local Port (spaced)"; flow:from_server,established,only_stream; content:"220 "; depth:4; content:!"SMTP"; within:20; reference:url,doc.emergingthreats.net/2011124; classtype:non-standard-protocol; sid:2011124; rev:20; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2017_09_08;)

Added 2022-05-19 19:05:57 UTC

#alert ftp $HOME_NET ![21,25,110,119,139,445,465,475,587,902,1433,2525] -> any any (msg:"ET MALWARE Suspicious FTP 220 Banner on Local Port (spaced)"; flow:from_server,established,only_stream; content:"220 "; depth:4; content:!"SMTP"; within:20; reference:url,doc.emergingthreats.net/2011124; classtype:non-standard-protocol; sid:2011124; rev:19; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2017_09_08;)

Added 2020-08-05 19:06:33 UTC

#alert ftp $HOME_NET ![21,25,110,119,139,445,465,475,587,902,1433,2525] -> any any (msg:"ET MALWARE Suspicious FTP 220 Banner on Local Port (spaced)"; flow:from_server,established,only_stream; content:"220 "; depth:4; content:!"SMTP"; within:20; metadata: former_category ADWARE_PUP; reference:url,doc.emergingthreats.net/2011124; classtype:non-standard-protocol; sid:2011124; rev:19; metadata:created_at 2010_07_30, updated_at 2017_09_08;)

Added 2019-09-26 19:56:39 UTC

#alert ftp $HOME_NET ![21,25,110,119,139,445,465,475,587,902,1433,2525] -> any any (msg:"ET MALWARE Suspicious FTP 220 Banner on Local Port (spaced)"; flow:from_server,established,only_stream; content:"220 "; depth:4; content:!"SMTP"; within:20; metadata: former_category MALWARE; reference:url,doc.emergingthreats.net/2011124; classtype:non-standard-protocol; sid:2011124; rev:19; metadata:created_at 2010_07_30, updated_at 2017_09_08;)

Added 2018-09-13 19:41:51 UTC

Added 2018-09-13 17:54:52 UTC

#alert ftp $HOME_NET ![21,25,110,119,139,445,465,475,587,902,1433,2525] -> any any (msg:"ET MALWARE Suspicious FTP 220 Banner on Local Port (spaced)"; flow:from_server,established,only_stream; content:"220 "; depth:4; content:!"SMTP"; within:20; metadata: former_category MALWARE; reference:url,doc.emergingthreats.net/2011124; classtype:non-standard-protocol; sid:2011124; rev:19; metadata:created_at 2010_07_30, updated_at 2017_09_08;)

Added 2017-09-11 17:12:42 UTC

alert ftp $HOME_NET ![21,25,110,119,139,445,465,475,587,902,1433,2525] -> any any (msg:"ET MALWARE Suspicious FTP 220 Banner on Local Port (spaced)"; flow:from_server,established,only_stream; content:"220 "; depth:4; content:!"SMTP"; within:20; reference:url,doc.emergingthreats.net/2011124; classtype:non-standard-protocol; sid:2011124; rev:19; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Added 2017-08-07 21:04:17 UTC

alert ftp $HOME_NET ![21,25,110,119,139,445,465,475,587,902,1433,2525] -> any any (msg:"ET MALWARE Suspicious FTP 220 Banner on Local Port (spaced)"; flow:from_server,established,only_stream; content:"220 "; depth:4; content:!"SMTP"; within:20; reference:url,doc.emergingthreats.net/2011124; classtype:non-standard-protocol; sid:2011124; rev:19;)

Added 2016-08-04 18:02:07 UTC

alert ftp $HOME_NET ![21,25,110,119,139,445,465,475,587,902,1433,2525] -> any any (msg:"ET MALWARE Suspicious FTP 220 Banner on Local Port (spaced)"; flow:from_server,established,only_stream; content:"220 "; depth:4; content:!"SMTP"; within:20; reference:url,doc.emergingthreats.net/2011124; classtype:non-standard-protocol; sid:2011124; rev:19;)

Added 2016-04-04 17:16:21 UTC

Thanks for excluding POP3 from this rule, now I noticed that you will also need to exclude IMAP port 143. I still get quite a lot of false positives because of IMAP traffic matching.

-- JohnNaggets - 2016-07-24

alert ftp $HOME_NET ![21,25,119,139,445,465,475,587,902,1433,2525] -> any any (msg:"ET MALWARE Suspicious FTP 220 Banner on Local Port (spaced)"; flow:from_server,established,only_stream; content:"220 "; depth:4; content:!"SMTP"; within:20; reference:url,doc.emergingthreats.net/2011124; classtype:non-standard-protocol; sid:2011124; rev:18;)

Added 2015-08-26 17:51:15 UTC

we get quite a lot of false positives with this one due to the POP3 protocol on port 110, it would be great if port 110 or more generally POP3 traffic could be excluded from this rule

-- JohnNaggets - 2016-04-02

Thanks, we'll get this out today!

-- DarienH - 2016-04-04

alert ftp $HOME_NET ![21,25,119,139,445,465,587,902,1433] -> any any (msg:"ET MALWARE Suspicious FTP 220 Banner on Local Port (spaced)"; flow:from_server,established,only_stream; content:"220 "; depth:4; content:!"ESMTP"; distance:0; reference:url,doc.emergingthreats.net/2011124; classtype:non-standard-protocol; sid:2011124; rev:17;)

Added 2014-10-06 16:56:03 UTC

alert ftp $HOME_NET [0:20,22:24,26:118,120:138,140:444,446:464,466:586,588:901,903:1432,1434:65535] -> any any (msg:"ET MALWARE Suspicious FTP 220 Banner on Local Port (spaced)"; flow:from_server,established,only_stream; content:"220 "; depth:4; reference:url,doc.emergingthreats.net/2011124; classtype:non-standard-protocol; sid:2011124; rev:16;)

Added 2014-08-28 18:33:50 UTC

alert tcp $HOME_NET [0:20,22:24,26:118,120:138,140:444,446:464,466:586,588:901,903:1432,1434:65535] -> any any (msg:"ET MALWARE Suspicious FTP 220 Banner on Local Port (spaced)"; flow:from_server,established; content:"220 "; depth:4; reference:url,doc.emergingthreats.net/2011124; classtype:non-standard-protocol; sid:2011124; rev:14;)

Added 2011-12-30 19:58:58 UTC

The source port of this rule exceeds 64 characters and will cause some versions of snort to crash. In addition, Sourcefire sensors are not likely to import this rule correctly which could lead to other detection issues.

-- DjThomason - 31 Jul 2012

Hits on PDF files regularly. I suggest adding content: !"%pdf" or similar

-- MattNewham - 07 Jan 2013

alert tcp $HOME_NET [0:20,22:24,26:118,120:138,140:444,446:464,466:586,588:901,903:1432,1434:65535] -> any any (msg:"ET MALWARE Suspicious FTP 220 Banner on Local Port (spaced)"; flow:from_server,established; content:"220 "; depth:4; reference:url,doc.emergingthreats.net/2011124; classtype:non-standard-protocol; sid:2011124; rev:14;)

Added 2011-12-30 19:24:07 UTC

alert tcp $HOME_NET [0:20,22:24,26:118,120:138,140:444,446:464,466:586,588:901,903:1432,1434:65535] -> any any (msg:"ET MALWARE Suspicious FTP 220 Banner on Local Port (spaced)"; flow:from_server,established; content:"220 "; depth:4; reference:url,doc.emergingthreats.net/2011124; classtype:non-standard-protocol; sid:2011124; rev:14;)

Added 2011-12-30 18:03:21 UTC

alert tcp $HOME_NET [0:20,22:24,26:138,140:444,446:464,466:586,588:901,903:1432,1434:65535] -> any any (msg:"ET MALWARE Suspicious FTP 220 Banner on Local Port (spaced)"; flow:from_server,established; content:"220 "; depth:4; content:!"VMware Authentication Daemon"; depth:32; reference:url,doc.emergingthreats.net/2011124; classtype:non-standard-protocol; sid:2011124; rev:12;)

Added 2011-10-12 19:31:22 UTC

False positiv on Exchange on non-standard port and preprocessor not expecting it: 220 mail.example.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.1830 ready at Wed, 23 Nov 2011 13:48:23 -0100

-- MrKrugger? - 23 Nov 2011

alert tcp $HOME_NET [0:20,22:24,26:138,140:444,446:464,466:586,588:901,903:1432,1434:65535] -> any any (msg:"ET MALWARE Suspicious FTP 220 Banner on Local Port (spaced)"; flow:from_server,established; content:"220 "; depth:4; content:!"VMware Authentication Daemon"; depth:32; classtype:non-standard-protocol; reference:url,doc.emergingthreats.net/2011124; sid:2011124; rev:12;)

Added 2011-09-14 22:44:34 UTC

alert tcp $HOME_NET [0:20,22:24,26:138,140:444,446:464,466:586,588:901,903:1432,1434:65535] -> any any (msg:"ET MALWARE Suspicious FTP 220 Banner on Local Port (spaced)"; flow:from_server,established; content:"220 "; depth:4; content:!"VMware Authentication Daemon"; depth:32; classtype:non-standard-protocol; reference:url,doc.emergingthreats.net/2011124; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Off_Port_FTP; sid:2011124; rev:12;)

Added 2011-03-10 16:05:16 UTC

alert tcp $HOME_NET [0:20,22:24,26:138,140:444,446:464,466:586,588:901,903:1432,1434:65535] -> any any (msg:"ET MALWARE Suspicious FTP 220 Banner on Local Port (spaced)"; flow:from_server,established; content:"220 "; depth:4; classtype:non-standard-protocol; reference:url,doc.emergingthreats.net/2011124; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Off_Port_FTP; sid:2011124; rev:11;)

Added 2011-02-04 17:30:52 UTC

alert tcp $HOME_NET [0:20,22:24,26:464,466:586,588:901,903:65535] -> any any (msg:"ET MALWARE Suspicious FTP 220 Banner on Local Port (spaced)"; flow:from_server,established; content:"220 "; depth:4; classtype:non-standard-protocol; reference:url,doc.emergingthreats.net/2011124; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Off_Port_FTP; sid:2011124; rev:10;)

Added 2010-06-09 18:46:01 UTC

alert tcp $HOME_NET [0:20,22:24,26:464,466:586,588:901,903:65535] -> any any (msg:"ET MALWARE Suspicious FTP 220 Banner on Local Port (spaced)"; flow:from_server,established; content:"220 "; depth:4; classtype:non-standard-protocol; reference:url,doc.emergingthreats.net/2011124; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Off_Port_FTP; sid:2011124; rev:10;)

Added 2010-06-09 18:46:01 UTC

alert tcp $HOME_NET [0:20,22:24,26:464,466:586,588:901,903:65535] -> any any (msg:"ET MALWARE Suspicious FTP 220 Banner on Local Port (spaced)"; flow:from_server,established; content:"220 "; depth:5; classtype:non-standard-protocol; reference:url,doc.emergingthreats.net/2011124; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Off_Port_FTP; sid:2011124; rev:9;)

Added 2010-05-26 20:00:58 UTC

alert tcp $HOME_NET [0:20,22:24,26:464,466:586,588:901,903:65535] -> any any (msg:"ET MALWARE Suspicious FTP 220 Banner on Local Port (spaced)"; flow:from_server,established; content:"220 "; depth:5; classtype:non-standard-protocol; reference:url,doc.emergingthreats.net/2011124; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Off_Port_FTP; sid:2011124; rev:9;)

Added 2010-05-26 20:00:58 UTC

alert tcp $HOME_NET [0:20,22:24,26:901,903:65535] -> any any (msg:"ET MALWARE Suspicious 220 Banner on Local Port (spaced)"; flow:from_server,established; content:"220 "; depth:5; classtype:non-standard-protocol; reference:url,doc.emergingthreats.net/2011124; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Off_Port_FTP; sid:2011124; rev:8;)

Added 2010-05-23 22:46:03 UTC

alert tcp $HOME_NET [0:20,22:24,26:901,903:65535] -> any any (msg:"ET MALWARE Suspicious 220 Banner on Local Port (spaced)"; flow:from_server,established; content:"220 "; depth:5; classtype:non-standard-protocol; reference:url,doc.emergingthreats.net/2011124; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Off_Port_FTP; sid:2011124; rev:8;)

Added 2010-05-23 22:46:03 UTC

alert tcp $HOME_NET [0:20,22:24,26:901,903:65535] -> any any (msg:"ET MALWARE Suspicious 220 Banner on Local Port (spaced)"; flow:from_server,established; content:"220 "; depth:5; classtype:non-standard-protocol; sid:2011124; rev:7;)

Added 2010-05-22 01:53:28 UTC

alert tcp $HOME_NET [0:20,22:24,26:901,903:65535] -> any any (msg:"ET MALWARE Suspicious 220 Banner on Local Port (spaced)"; flow:from_server,established; content:"220 "; depth:5; classtype:non-standard-protocol; sid:2011124; rev:7;)

Added 2010-05-22 01:53:28 UTC

alert tcp $HOME_NET 21:902 -> any any (msg:"ET MALWARE Suspicious 220 Banner on Local Port (spaced)"; flow:from_server,established; content:"220 "; depth:5; classtype:non-standard-protocol; reference:url,doc.emergingthreats.net/bin/view/Main/2003055; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Off_Port_FTP; sid:2011124; rev:6;)

Added 2010-05-20 10:46:05 UTC

alert tcp $HOME_NET 21:902 -> any any (msg:"ET MALWARE Suspicious 220 Banner on Local Port (spaced)"; flow:from_server,established; content:"220 "; depth:5; classtype:non-standard-protocol; reference:url,doc.emergingthreats.net/bin/view/Main/2003055; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Off_Port_FTP; sid:2011124; rev:6;)

Added 2010-05-20 10:43:59 UTC

Edit | Attach | Print version | History: r7 < r6 < r5 < r4 < r3 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r7 - 2016-07-24 - JohnNaggets
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats