cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
815
Views
0
Helpful
10
Replies

3171:0/1 Ftp Privledged Login

m-hansson
Level 1
Level 1

This signatures seems to fire towards FTP servers with a welcome message before the login prompt.

E.g.

Connected to 127.0.0.1.

220-##

220-##

220-*--------------------------------------------------------------------------------*

220-*--------------------------------------------------------------------------------*

220-##

220-##

220

-> USER Administrator

331 Please specify the password.

-> PASS blaha

530 Login incorrect.

...

Are these signatures really looking for the response code 230?

1 Accepted Solution

Accepted Solutions

We listen. Have a good weekend. :-)

View solution in original post

10 Replies 10

wsulym
Cisco Employee
Cisco Employee

The signatures look for users "root" or "administrator" attempting to login to an ftp server, successful or not.

Ah ok. (It was the MARS Category string that fooled me.)

Is there a way to tune these signatures into only detecting successful logins?

The thinking here is that anyone trying to log into an ftp server as root or administrator is generally not a good thing.

That said, you couldn't tune 3171 itself, but you could use it along with a custom signature and combine the two into a meta sig.

Create a custom signature for the 230 login successful:

in string.tcp, from port 21

regex 230\x20[Uu][Ss][Ee][Rr]\x20

swap attacker/victim

(you may choose to suppress the "produce-alert" action for this signature)

Combine 3171-0, and the newly created created "230" sig into another custom signature in the META engine.

3171-0 and your sig are components that appear in that order, meta key AxBx (attacker and victim addresses)

"The thinking here is that anyone trying to log into an ftp server as root or administrator is generally not a good thing."

True, but if you have a sensor in front of an Internet facing FTP server...you WILL see attempts to login with the root/admin account. Having a sig for that is still good and users should be able to choose whether they want alarms. However, I would second a request to have Cisco write a signature to detect successful root/admin ftp logins. Much more meaningful and actionable in my opinion.

It looks like Cisco is listening;-)

I haven't tested or even looked at said signatures, but the latest sig update(S276) appears to have a sig to detect successful privileged FTP logins:

5.x,6.x 5847.0 FTP Successful Privileged Login META Low True

5.x,6.x 5847.1 FTP Successful Privileged Login META Low True

Thanks wsulym.

We listen. Have a good weekend. :-)

Very nice! :)

Looking at signature 5846 (FTP 230 Reply Code) and the regexp "230 [Uu][Ss][Ee][Rr] ".

A FTP server is not enforced to have the string User after a 230 response code.. so this signature will only detect successful logins to some FTP servers :(.

You are correct, per RFC, all that's required is the "230" reply - the rest makes it easy for carbon-based lifeforms to understand and is optional. A more RFC conforming change to that sig will be in the next update.

Great :)

Another meta signature that would be useful is something like "FTP Successful brute force". Consisting of signatures 6250 (FTP Auth. Failure) and 5846 (FTP 230 Reply Code) to detect successful brute force attempts.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: