#alert ftp $HOME_NET ![21,25,110,119,139,445,465,475,587,902,1433,2525] -> any any (msg:"ET MALWARE Suspicious FTP 220 Banner on Local Port (spaced)"; flow:from_server,established,only_stream; content:"220 "; depth:4; content:!"SMTP"; within:20; metadata: former_category MALWARE; reference:url,doc.emergingthreats.net/2011124; classtype:non-standard-protocol; sid:2011124; rev:19; metadata:created_at 2010_07_30, updated_at 2017_09_08;)

Added 2017-09-11 17:12:42 UTC


alert ftp $HOME_NET ![21,25,110,119,139,445,465,475,587,902,1433,2525] -> any any (msg:"ET MALWARE Suspicious FTP 220 Banner on Local Port (spaced)"; flow:from_server,established,only_stream; content:"220 "; depth:4; content:!"SMTP"; within:20; reference:url,doc.emergingthreats.net/2011124; classtype:non-standard-protocol; sid:2011124; rev:19; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Added 2017-08-07 21:04:17 UTC


alert ftp $HOME_NET ![21,25,110,119,139,445,465,475,587,902,1433,2525] -> any any (msg:"ET MALWARE Suspicious FTP 220 Banner on Local Port (spaced)"; flow:from_server,established,only_stream; content:"220 "; depth:4; content:!"SMTP"; within:20; reference:url,doc.emergingthreats.net/2011124; classtype:non-standard-protocol; sid:2011124; rev:19;)

Added 2016-08-04 18:02:07 UTC


alert ftp $HOME_NET ![21,25,110,119,139,445,465,475,587,902,1433,2525] -> any any (msg:"ET MALWARE Suspicious FTP 220 Banner on Local Port (spaced)"; flow:from_server,established,only_stream; content:"220 "; depth:4; content:!"SMTP"; within:20; reference:url,doc.emergingthreats.net/2011124; classtype:non-standard-protocol; sid:2011124; rev:19;)

Added 2016-04-04 17:16:21 UTC

Thanks for excluding POP3 from this rule, now I noticed that you will also need to exclude IMAP port 143. I still get quite a lot of false positives because of IMAP traffic matching.

-- JohnNaggets - 2016-07-24


alert ftp $HOME_NET ![21,25,119,139,445,465,475,587,902,1433,2525] -> any any (msg:"ET MALWARE Suspicious FTP 220 Banner on Local Port (spaced)"; flow:from_server,established,only_stream; content:"220 "; depth:4; content:!"SMTP"; within:20; reference:url,doc.emergingthreats.net/2011124; classtype:non-standard-protocol; sid:2011124; rev:18;)

Added 2015-08-26 17:51:15 UTC

we get quite a lot of false positives with this one due to the POP3 protocol on port 110, it would be great if port 110 or more generally POP3 traffic could be excluded from this rule

-- JohnNaggets - 2016-04-02

Thanks, we'll get this out today!

-- DarienH - 2016-04-04


alert ftp $HOME_NET ![21,25,119,139,445,465,587,902,1433] -> any any (msg:"ET MALWARE Suspicious FTP 220 Banner on Local Port (spaced)"; flow:from_server,established,only_stream; content:"220 "; depth:4; content:!"ESMTP"; distance:0; reference:url,doc.emergingthreats.net/2011124; classtype:non-standard-protocol; sid:2011124; rev:17;)

Added 2014-10-06 16:56:03 UTC


alert ftp $HOME_NET [0:20,22:24,26:118,120:138,140:444,446:464,466:586,588:901,903:1432,1434:65535] -> any any (msg:"ET MALWARE Suspicious FTP 220 Banner on Local Port (spaced)"; flow:from_server,established,only_stream; content:"220 "; depth:4; reference:url,doc.emergingthreats.net/2011124; classtype:non-standard-protocol; sid:2011124; rev:16;)

Added 2014-08-28 18:33:50 UTC


alert tcp $HOME_NET [0:20,22:24,26:118,120:138,140:444,446:464,466:586,588:901,903:1432,1434:65535] -> any any (msg:"ET MALWARE Suspicious FTP 220 Banner on Local Port (spaced)"; flow:from_server,established; content:"220 "; depth:4; reference:url,doc.emergingthreats.net/2011124; classtype:non-standard-protocol; sid:2011124; rev:14;)

Added 2011-12-30 19:58:58 UTC

The source port of this rule exceeds 64 characters and will cause some versions of snort to crash. In addition, Sourcefire sensors are not likely to import this rule correctly which could lead to other detection issues.

-- DjThomason - 31 Jul 2012

Hits on PDF files regularly. I suggest adding content: !"%pdf" or similar

-- MattNewham - 07 Jan 2013


alert tcp $HOME_NET [0:20,22:24,26:118,120:138,140:444,446:464,466:586,588:901,903:1432,1434:65535] -> any any (msg:"ET MALWARE Suspicious FTP 220 Banner on Local Port (spaced)"; flow:from_server,established; content:"220 "; depth:4; reference:url,doc.emergingthreats.net/2011124; classtype:non-standard-protocol; sid:2011124; rev:14;)

Added 2011-12-30 19:24:07 UTC


alert tcp $HOME_NET [0:20,22:24,26:118,120:138,140:444,446:464,466:586,588:901,903:1432,1434:65535] -> any any (msg:"ET MALWARE Suspicious FTP 220 Banner on Local Port (spaced)"; flow:from_server,established; content:"220 "; depth:4; reference:url,doc.emergingthreats.net/2011124; classtype:non-standard-protocol; sid:2011124; rev:14;)

Added 2011-12-30 18:03:21 UTC


alert tcp $HOME_NET [0:20,22:24,26:138,140:444,446:464,466:586,588:901,903:1432,1434:65535] -> any any (msg:"ET MALWARE Suspicious FTP 220 Banner on Local Port (spaced)"; flow:from_server,established; content:"220 "; depth:4; content:!"VMware Authentication Daemon"; depth:32; reference:url,doc.emergingthreats.net/2011124; classtype:non-standard-protocol; sid:2011124; rev:12;)

Added 2011-10-12 19:31:22 UTC

False positiv on Exchange on non-standard port and preprocessor not expecting it: 220 mail.example.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.1830 ready at Wed, 23 Nov 2011 13:48:23 -0100

-- MrKrugger? - 23 Nov 2011


alert tcp $HOME_NET [0:20,22:24,26:138,140:444,446:464,466:586,588:901,903:1432,1434:65535] -> any any (msg:"ET MALWARE Suspicious FTP 220 Banner on Local Port (spaced)"; flow:from_server,established; content:"220 "; depth:4; content:!"VMware Authentication Daemon"; depth:32; classtype:non-standard-protocol; reference:url,doc.emergingthreats.net/2011124; sid:2011124; rev:12;)

Added 2011-09-14 22:44:34 UTC


alert tcp $HOME_NET [0:20,22:24,26:138,140:444,446:464,466:586,588:901,903:1432,1434:65535] -> any any (msg:"ET MALWARE Suspicious FTP 220 Banner on Local Port (spaced)"; flow:from_server,established; content:"220 "; depth:4; content:!"VMware Authentication Daemon"; depth:32; classtype:non-standard-protocol; reference:url,doc.emergingthreats.net/2011124; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Off_Port_FTP; sid:2011124; rev:12;)

Added 2011-03-10 16:05:16 UTC


alert tcp $HOME_NET [0:20,22:24,26:138,140:444,446:464,466:586,588:901,903:1432,1434:65535] -> any any (msg:"ET MALWARE Suspicious FTP 220 Banner on Local Port (spaced)"; flow:from_server,established; content:"220 "; depth:4; classtype:non-standard-protocol; reference:url,doc.emergingthreats.net/2011124; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Off_Port_FTP; sid:2011124; rev:11;)

Added 2011-02-04 17:30:52 UTC


alert tcp $HOME_NET [0:20,22:24,26:464,466:586,588:901,903:65535] -> any any (msg:"ET MALWARE Suspicious FTP 220 Banner on Local Port (spaced)"; flow:from_server,established; content:"220 "; depth:4; classtype:non-standard-protocol; reference:url,doc.emergingthreats.net/2011124; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Off_Port_FTP; sid:2011124; rev:10;)

Added 2010-06-09 18:46:01 UTC


alert tcp $HOME_NET [0:20,22:24,26:464,466:586,588:901,903:65535] -> any any (msg:"ET MALWARE Suspicious FTP 220 Banner on Local Port (spaced)"; flow:from_server,established; content:"220 "; depth:4; classtype:non-standard-protocol; reference:url,doc.emergingthreats.net/2011124; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Off_Port_FTP; sid:2011124; rev:10;)

Added 2010-06-09 18:46:01 UTC


alert tcp $HOME_NET [0:20,22:24,26:464,466:586,588:901,903:65535] -> any any (msg:"ET MALWARE Suspicious FTP 220 Banner on Local Port (spaced)"; flow:from_server,established; content:"220 "; depth:5; classtype:non-standard-protocol; reference:url,doc.emergingthreats.net/2011124; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Off_Port_FTP; sid:2011124; rev:9;)

Added 2010-05-26 20:00:58 UTC


alert tcp $HOME_NET [0:20,22:24,26:464,466:586,588:901,903:65535] -> any any (msg:"ET MALWARE Suspicious FTP 220 Banner on Local Port (spaced)"; flow:from_server,established; content:"220 "; depth:5; classtype:non-standard-protocol; reference:url,doc.emergingthreats.net/2011124; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Off_Port_FTP; sid:2011124; rev:9;)

Added 2010-05-26 20:00:58 UTC


alert tcp $HOME_NET [0:20,22:24,26:901,903:65535] -> any any (msg:"ET MALWARE Suspicious 220 Banner on Local Port (spaced)"; flow:from_server,established; content:"220 "; depth:5; classtype:non-standard-protocol; reference:url,doc.emergingthreats.net/2011124; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Off_Port_FTP; sid:2011124; rev:8;)

Added 2010-05-23 22:46:03 UTC


alert tcp $HOME_NET [0:20,22:24,26:901,903:65535] -> any any (msg:"ET MALWARE Suspicious 220 Banner on Local Port (spaced)"; flow:from_server,established; content:"220 "; depth:5; classtype:non-standard-protocol; reference:url,doc.emergingthreats.net/2011124; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Off_Port_FTP; sid:2011124; rev:8;)

Added 2010-05-23 22:46:03 UTC


alert tcp $HOME_NET [0:20,22:24,26:901,903:65535] -> any any (msg:"ET MALWARE Suspicious 220 Banner on Local Port (spaced)"; flow:from_server,established; content:"220 "; depth:5; classtype:non-standard-protocol; sid:2011124; rev:7;)

Added 2010-05-22 01:53:28 UTC


alert tcp $HOME_NET [0:20,22:24,26:901,903:65535] -> any any (msg:"ET MALWARE Suspicious 220 Banner on Local Port (spaced)"; flow:from_server,established; content:"220 "; depth:5; classtype:non-standard-protocol; sid:2011124; rev:7;)

Added 2010-05-22 01:53:28 UTC


alert tcp $HOME_NET 21:902 -> any any (msg:"ET MALWARE Suspicious 220 Banner on Local Port (spaced)"; flow:from_server,established; content:"220 "; depth:5; classtype:non-standard-protocol; reference:url,doc.emergingthreats.net/bin/view/Main/2003055; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Off_Port_FTP; sid:2011124; rev:6;)

Added 2010-05-20 10:46:05 UTC


alert tcp $HOME_NET 21:902 -> any any (msg:"ET MALWARE Suspicious 220 Banner on Local Port (spaced)"; flow:from_server,established; content:"220 "; depth:5; classtype:non-standard-protocol; reference:url,doc.emergingthreats.net/bin/view/Main/2003055; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Off_Port_FTP; sid:2011124; rev:6;)

Added 2010-05-20 10:43:59 UTC


Topic revision: r7 - 2016-07-24 - JohnNaggets
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats