alert ftp $HOME_NET [0:20,22:24,26:118,120:138,140:444,446:464,466:586,588:901,903:1432,1434:65535] -> any any (msg:"ET POLICY Suspicious FTP 220 Banner on Local Port (-)"; flow:from_server,established; content:"220-"; depth:4; metadata: former_category POLICY; reference:url,doc.emergingthreats.net/bin/view/Main/2003055; classtype:non-standard-protocol; sid:2003055; rev:13; metadata:created_at 2010_07_30, updated_at 2017_04_21;)

Added 2017-08-07 20:56:26 UTC

You can get false positives from this signature on rpm based Linux systems doing a repo query

-- EdGreshko - 2017-08-17


alert ftp $HOME_NET [0:20,22:24,26:118,120:138,140:444,446:464,466:586,588:901,903:1432,1434:65535] -> any any (msg:"ET POLICY Suspicious FTP 220 Banner on Local Port (-)"; flow:from_server,established; content:"220-"; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2003055; classtype:non-standard-protocol; sid:2003055; rev:13;)

Added 2017-05-05 16:58:49 UTC


alert ftp $HOME_NET [0:20,22:24,26:118,120:138,140:444,446:464,466:586,588:901,903:1432,1434:65535] -> any any (msg:"ET POLICY Suspicious FTP 220 Banner on Local Port (-)"; flow:from_server,established; content:"220-"; depth:4; metadata: former_category POLICY; reference:url,doc.emergingthreats.net/bin/view/Main/2003055; classtype:non-standard-protocol; sid:2003055; rev:13;)

Added 2017-05-03 17:35:05 UTC


alert ftp $HOME_NET [0:20,22:24,26:118,120:138,140:444,446:464,466:586,588:901,903:1432,1434:65535] -> any any (msg:"ET POLICY Suspicious FTP 220 Banner on Local Port (-)"; flow:from_server,established; content:"220-"; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2003055; classtype:non-standard-protocol; sid:2003055; rev:13;)

Added 2017-04-21 17:28:15 UTC


#alert ftp $HOME_NET [0:20,22:24,26:118,120:138,140:444,446:464,466:586,588:901,903:1432,1434:65535] -> any any (msg:"ET MALWARE Suspicious FTP 220 Banner on Local Port (-)"; flow:from_server,established; content:"220-"; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2003055; classtype:non-standard-protocol; sid:2003055; rev:12;)

Added 2017-04-20 17:48:38 UTC


alert ftp $HOME_NET [0:20,22:24,26:118,120:138,140:444,446:464,466:586,588:901,903:1432,1434:65535] -> any any (msg:"ET MALWARE Suspicious FTP 220 Banner on Local Port (-)"; flow:from_server,established; content:"220-"; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2003055; classtype:non-standard-protocol; sid:2003055; rev:12;)

Added 2015-05-12 18:49:02 UTC


alert tcp $HOME_NET [0:20,22:24,26:118,120:138,140:444,446:464,466:586,588:901,903:1432,1434:65535] -> any any (msg:"ET MALWARE Suspicious FTP 220 Banner on Local Port (-)"; flow:from_server,established; content:"220-"; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2003055; classtype:non-standard-protocol; sid:2003055; rev:11;)

Added 2011-12-30 19:58:58 UTC

The source port range on this rule exceeds 64 characters and will cause some versions of snort to crash. It will not likely be imported into a Sourcefire sensor correctly and could cause additional detection issues.

-- DjThomason - 31 Jul 2012


alert tcp $HOME_NET [0:20,22:24,26:118,120:138,140:444,446:464,466:586,588:901,903:1432,1434:65535] -> any any (msg:"ET MALWARE Suspicious FTP 220 Banner on Local Port (-)"; flow:from_server,established; content:"220-"; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2003055; classtype:non-standard-protocol; sid:2003055; rev:11;)

Added 2011-12-30 19:24:07 UTC


alert tcp $HOME_NET [0:20,22:24,26:118,120:138,140:444,446:464,466:586,588:901,903:1432,1434:65535] -> any any (msg:"ET MALWARE Suspicious FTP 220 Banner on Local Port (-)"; flow:from_server,established; content:"220-"; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2003055; classtype:non-standard-protocol; sid:2003055; rev:11;)

Added 2011-12-30 18:03:19 UTC


alert tcp $HOME_NET [0:20,22:24,26:464,466:586,588:901,903:65535] -> any any (msg:"ET MALWARE Suspicious FTP 220 Banner on Local Port (-)"; flow:from_server,established; content:"220-"; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2003055; classtype:non-standard-protocol; sid:2003055; rev:10;)

Added 2011-10-12 19:12:47 UTC


alert tcp $HOME_NET [0:20,22:24,26:464,466:586,588:901,903:65535] -> any any (msg:"ET MALWARE Suspicious FTP 220 Banner on Local Port (-)"; flow:from_server,established; content:"220-"; depth:4; classtype:non-standard-protocol; reference:url,doc.emergingthreats.net/bin/view/Main/2003055; sid:2003055; rev:10;)

Added 2011-09-14 22:25:44 UTC


alert tcp $HOME_NET [0:20,22:24,26:464,466:586,588:901,903:65535] -> any any (msg:"ET MALWARE Suspicious FTP 220 Banner on Local Port (-)"; flow:from_server,established; content:"220-"; depth:4; classtype:non-standard-protocol; reference:url,doc.emergingthreats.net/bin/view/Main/2003055; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Off_Port_FTP; sid:2003055; rev:10;)

Added 2011-02-04 17:22:13 UTC


alert tcp $HOME_NET [0:20,22:24,26:464,466:586,588:901,903:65535] -> any any (msg:"ET MALWARE Suspicious FTP 220 Banner on Local Port (-)"; flow:from_server,established; content:"220-"; depth:4; classtype:non-standard-protocol; reference:url,doc.emergingthreats.net/bin/view/Main/2003055; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Off_Port_FTP; sid:2003055; rev:9;)

Added 2010-06-09 18:46:01 UTC


alert tcp $HOME_NET [0:20,22:24,26:464,466:586,588:901,903:65535] -> any any (msg:"ET MALWARE Suspicious FTP 220 Banner on Local Port (-)"; flow:from_server,established; content:"220-"; depth:4; classtype:non-standard-protocol; reference:url,doc.emergingthreats.net/bin/view/Main/2003055; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Off_Port_FTP; sid:2003055; rev:9;)

Added 2010-06-09 18:46:01 UTC


alert tcp $HOME_NET [0:20,22:24,26:464,466:586,588:901,903:65535] -> any any (msg:"ET MALWARE Suspicious FTP 220 Banner on Local Port (-)"; flow:from_server,established; content:"220-"; depth:5; classtype:non-standard-protocol; reference:url,doc.emergingthreats.net/bin/view/Main/2003055; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Off_Port_FTP; sid:2003055; rev:8;)

Added 2010-05-26 20:00:58 UTC


alert tcp $HOME_NET [0:20,22:24,26:464,466:586,588:901,903:65535] -> any any (msg:"ET MALWARE Suspicious FTP 220 Banner on Local Port (-)"; flow:from_server,established; content:"220-"; depth:5; classtype:non-standard-protocol; reference:url,doc.emergingthreats.net/bin/view/Main/2003055; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Off_Port_FTP; sid:2003055; rev:8;)

Added 2010-05-26 20:00:58 UTC


alert tcp $HOME_NET [0:20,22:24,26:901,903:65535] -> any any (msg:"ET MALWARE Suspicious 220 Banner on Local Port (-)"; flow:from_server,established; content:"220-"; depth:5; classtype:non-standard-protocol; reference:url,doc.emergingthreats.net/bin/view/Main/2003055; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Off_Port_FTP; sid:2003055; rev:7;)

Added 2010-05-22 01:53:28 UTC


alert tcp $HOME_NET [0:20,22:24,26:901,903:65535] -> any any (msg:"ET MALWARE Suspicious 220 Banner on Local Port (-)"; flow:from_server,established; content:"220-"; depth:5; classtype:non-standard-protocol; reference:url,doc.emergingthreats.net/bin/view/Main/2003055; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Off_Port_FTP; sid:2003055; rev:7;)

Added 2010-05-22 01:53:28 UTC


alert tcp $HOME_NET 21:902 -> any any (msg:"ET MALWARE Suspicious 220 Banner on Local Port (-)"; flow:from_server,established; content:"220-"; depth:5; classtype:non-standard-protocol; reference:url,doc.emergingthreats.net/bin/view/Main/2003055; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Off_Port_FTP; sid:2003055; rev:6;)

Added 2010-05-20 10:46:05 UTC


alert tcp $HOME_NET 21:902 -> any any (msg:"ET MALWARE Suspicious 220 Banner on Local Port (-)"; flow:from_server,established; content:"220-"; depth:5; classtype:non-standard-protocol; reference:url,doc.emergingthreats.net/bin/view/Main/2003055; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Off_Port_FTP; sid:2003055; rev:6;)

Added 2010-05-20 10:46:05 UTC


alert tcp $HOME_NET 21:902 -> any any (msg:"ET MALWARE Suspicious 220 Banner on Local Port (-)"; flow:from_server,established; content:"220-"; depth:5; classtype:non-standard-protocol; reference:url,doc.emergingthreats.net/bin/view/Main/2003055; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Off_Port_FTP; sid:2003055; rev:6;)

Added 2010-05-20 10:43:59 UTC


alert tcp $HOME_NET 21:902 -> any any (msg:"ET MALWARE Suspicious 220 Banner on Local Port (-)"; flow:from_server,established; content:"220-"; depth:5; classtype:non-standard-protocol; reference:url,doc.emergingthreats.net/bin/view/Main/2003055; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Off_Port_FTP; sid:2003055; rev:6;)

Added 2010-05-20 10:43:59 UTC


alert tcp $HOME_NET 21:902 -> any any (msg:"ET MALWARE Suspicious 220 Banner on Local Port"; flow:from_server,established; content:"220"; offset:0; depth:4; pcre:"/220[- ]/"; classtype:non-standard-protocol; reference:url,doc.emergingthreats.net/bin/view/Main/2003055; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Off_Port_FTP; sid:2003055; rev:5;)

Added 2009-02-08 17:45:22 UTC

When viewing this rule here, It has no bang (!) before the port numbers. However, when I download the rule, there is a bang. Which is correct?

-- JeremyNenadal - 08 Jan 2010

The bang is correct, I think our wiki is interpreting that as formatting.

-- MattJonkman - 08 Jan 2010


alert tcp $HOME_NET 21:902 -> any any (msg:"ET MALWARE Suspicious 220 Banner on Local Port"; flow:from_server,established; content:"220"; offset:0; depth:4; pcre:"/220[- ]/"; classtype:non-standard-protocol; reference:url,doc.emergingthreats.net/bin/view/Main/2003055; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Off_Port_FTP; sid:2003055; rev:5;)

Added 2009-02-08 17:45:22 UTC


alert tcp $HOME_NET 21:902 -> any any (msg:"ET MALWARE Suspicious 220 Banner on Local Port"; flow:from_server,established; content:"220"; offset:0; depth:4; pcre:"/220[- ]/"; classtype:non-standard-protocol; reference:url,doc.emergingthreats.net/bin/view/Main/2003055; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Off_Port_FTP; sid:2003055; rev:5;)

Added 2009-02-08 17:42:35 UTC


alert tcp $HOME_NET 21:902 -> any any (msg:"ET MALWARE Suspicious 220 Banner on Local Port"; flow:from_server,established; content:"220"; offset:0; depth:4; pcre:"/220[- ]/"; classtype:non-standard-protocol; reference:url,doc.emergingthreats.net/bin/view/Main/2003055; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Off_Port_FTP; sid:2003055; rev:5;)

Added 2009-02-08 17:42:35 UTC


alert tcp $HOME_NET 21:902 -> any any (msg:"ET MALWARE Suspicious 220 Banner on Local Port"; flow:from_server,established; content:"220"; offset:0; depth:4; pcre:"/220[- ]/"; classtype:non-standard-protocol; sid:2003055; rev:4;)

Added 2008-01-28 17:24:18 UTC

triggers on netbackup (which shouldn't be run on main network anyway...)

[**] [1:2003055:4] ET MALWARE Suspicious 220 Banner on Local Port [**] [Classification: Detection of a non-standard protocol or event] [Priority: 2] {TCP} 172.20.xx.xx:13724 -> 192.168.xx.xx:2453

-- DaveGlosser - 16 Jan 2009


alert tcp $HOME_NET 21:902 -> any any (msg:"ET MALWARE Suspicious 220 Banner on Local Port"; flow:from_server,established; content:"220"; offset:0; depth:4; pcre:"/220[- ]/"; classtype:non-standard-protocol; sid:2003055; rev:4;)

Added 2008-01-28 17:24:18 UTC


alert tcp $HOME_NET 21:902 -> any any (msg:"BLEEDING-EDGE MALWARE Suspicious 220 Banner on Local Port"; flow:from_server,established; content:"220"; offset:0; depth:4; pcre:"/220[- ]/"; classtype:non-standard-protocol; sid:2003055; rev:3; )



Topic attachments
I Attachment Action Size Date Who Comment
Unknown file formatgz repo-query.pcap.gz manage 883.7 K 2017-08-17 - 10:53 EdGreshko Compressed pcap file showing repo query sequence
Topic revision: r6 - 2017-08-17 - EdGreshko
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats