alert tcp any 21 -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Unusual FTP Server Banner (warFTPd)"; flow:established,from_server; content:"220 "; content:"--warFTPd "; depth:40; nocase; reference:url,www.warftp.org; reference:url,doc.emergingthreats.net/bin/view/Main/2003464; classtype:trojan-activity; sid:2003464; rev:5;)

Added 2011-10-12 19:13:31 UTC


alert tcp any 21 -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Unusual FTP Server Banner (warFTPd)"; flow:established,from_server; content:"220 "; content:"--warFTPd "; depth:40; nocase; classtype:trojan-activity; reference:url,www.warftp.org; reference:url,doc.emergingthreats.net/bin/view/Main/2003464; sid:2003464; rev:5;)

Added 2011-09-14 22:26:30 UTC


alert tcp any 21 -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Unusual FTP Server Banner (warFTPd)"; flow:established,from_server; content:"220 "; content:"--warFTPd "; depth:40; nocase; classtype:trojan-activity; reference:url,www.warftp.org; reference:url,doc.emergingthreats.net/bin/view/Main/2003464; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Malicious_FTP; sid:2003464; rev:5;)

Added 2011-02-04 17:22:29 UTC


alert tcp any 21 -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Unusual FTP Server Banner (warFTPd)"; flow:established,from_server; content:"220 "; content:"--warFTPd "; depth:40; distance:0; nocase; classtype:trojan-activity; reference:url,www.warftp.org; reference:url,doc.emergingthreats.net/bin/view/Main/2003464; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Malicious_FTP; sid:2003464; rev:4;)

Added 2010-06-15 13:15:59 UTC


alert tcp any 21 -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Unusual FTP Server Banner (warFTPd)"; flow:established,from_server; content:"220 "; content:"--warFTPd "; depth:40; distance:0; nocase; classtype:trojan-activity; reference:url,www.warftp.org; reference:url,doc.emergingthreats.net/bin/view/Main/2003464; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Malicious_FTP; sid:2003464; rev:4;)

Added 2010-06-15 13:15:59 UTC


alert tcp any 21 -> $HOME_NET any (msg:"ET ATTACK RESPONSE Unusual FTP Server Banner (warFTPd)"; flow:established,from_server; content:"220 "; content:"--warFTPd "; depth:40; distance:0; nocase; classtype:trojan-activity; reference:url,www.warftp.org; reference:url,doc.emergingthreats.net/bin/view/Main/2003464; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Malicious_FTP; sid:2003464; rev:3;)

Added 2009-02-06 19:00:55 UTC


alert tcp any 21 -> $HOME_NET any (msg:"ET ATTACK RESPONSE Unusual FTP Server Banner (warFTPd)"; flow:established,from_server; content:"220 "; content:"--warFTPd "; depth:40; distance:0; nocase; classtype:trojan-activity; reference:url,www.warftp.org; reference:url,doc.emergingthreats.net/bin/view/Main/2003464; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Malicious_FTP; sid:2003464; rev:3;)

Added 2009-02-06 19:00:55 UTC


alert tcp any 21 -> $HOME_NET any (msg:"ET ATTACK RESPONSE Unusual FTP Server Banner (warFTPd)"; flow:established,from_server; content:"220 "; content:"--warFTPd "; depth:40; distance:0; nocase; classtype:trojan-activity; reference:url,www.warftp.org; sid:2003464; rev:2;)

Added 2008-01-23 10:46:27 UTC


alert tcp any 21 -> $HOME_NET any (msg:"ET ATTACK RESPONSE Unusual FTP Server Banner (warFTPd)"; flow:established,from_server; content:"220 "; content:"--warFTPd "; depth:40; distance:0; nocase; classtype:trojan-activity; reference:url,www.warftp.org; sid:2003464; rev:2;)

Added 2008-01-23 10:46:27 UTC


alert tcp any 21 -> $HOME_NET any (msg:"BLEEDING-EDGE ATTACK RESPONSE Unusual FTP Server Banner (warFTPd)"; flow:established,from_server; content:"220 "; content:"--warFTPd "; depth:40; distance:0; nocase; classtype:trojan-activity; reference:url,www.warftp.org; sid:2003464; rev:1;)

Auto-added on 2007-03-06 16:32:09 UTC



alert tcp any 21 -> $HOME_NET any (msg:"BLEEDING-EDGE ATTACK RESPONSE Unusual FTP Server Banner (warFTPd)"; flow:established,from_server; content:"220 "; content:"--warFTPd "; depth:40; distance:0; nocase; classtype:trojan-activity; reference:url,www.warftp.org; sid:2003464; rev:1;)

Auto-added on 2007-03-05 23:53:04 UTC



alert tcp any 21 -> $HOME_NET any (msg:"BLEEDING-EDGE ATTACK RESPONSE Unusual FTP Server Banner (warFTPd)"; flow:established,from_server; content:"220 "; content:"--warFTPd "; depth:40; distance:0; nocase; classtype:trojan-activity; reference:url,www.warftp.org; sid:2003464; rev:1;)

Auto-added on 2007-03-05 23:52:48 UTC



alert tcp any 21 -> $HOME_NET any (msg:"BLEEDING-EDGE ATTACK RESPONSE Unusual FTP Server Banner (warFTPd)"; flow:established,from_server; content:"220 "; content:"--warFTPd "; depth:40; distance:0; nocase; classtype:trojan-activity; reference:url,www.warftp.org; sid:2003464; rev:1;)

Auto-added on 2007-03-05 23:52:24 UTC



alert tcp any 21 -> $HOME_NET any (msg:"BLEEDING-EDGE ATTACK RESPONSE Unusual FTP Server Banner (warFTPd)"; flow:established,from_server; content:"220 "; content:"--warFTPd "; depth:40; distance:0; nocase; classtype:trojan-activity; reference:url,www.warftp.org; sid:2003464; rev:1;)

Auto-added on 2007-03-05 23:49:20 UTC


For sessions that look like so:

220 ---freeFTPd 1.0---warFTPd 1.65---

USER username

331 User OK, Password required

PASS password

530 Authentication failed, sorry

QUIT

-- MattJonkman - 05 Mar 2007


Topic revision: r2 - 2007-03-05 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats