Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

3171:0/1 Ftp Privledged Login

This signatures seems to fire towards FTP servers with a welcome message before the login prompt.

E.g.

Connected to 127.0.0.1.

220-##

220-##

220-*--------------------------------------------------------------------------------*

220-*--------------------------------------------------------------------------------*

220-##

220-##

220

-> USER Administrator

331 Please specify the password.

-> PASS blaha

530 Login incorrect.

...

Are these signatures really looking for the response code 230?

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: 3171:0/1 Ftp Privledged Login

We listen. Have a good weekend. :-)

10 REPLIES
Cisco Employee

Re: 3171:0/1 Ftp Privledged Login

The signatures look for users "root" or "administrator" attempting to login to an ftp server, successful or not.

New Member

Re: 3171:0/1 Ftp Privledged Login

Ah ok. (It was the MARS Category string that fooled me.)

Is there a way to tune these signatures into only detecting successful logins?

Cisco Employee

Re: 3171:0/1 Ftp Privledged Login

The thinking here is that anyone trying to log into an ftp server as root or administrator is generally not a good thing.

That said, you couldn't tune 3171 itself, but you could use it along with a custom signature and combine the two into a meta sig.

Create a custom signature for the 230 login successful:

in string.tcp, from port 21

regex 230\x20[Uu][Ss][Ee][Rr]\x20

swap attacker/victim

(you may choose to suppress the "produce-alert" action for this signature)

Combine 3171-0, and the newly created created "230" sig into another custom signature in the META engine.

3171-0 and your sig are components that appear in that order, meta key AxBx (attacker and victim addresses)

Gold

Re: 3171:0/1 Ftp Privledged Login

"The thinking here is that anyone trying to log into an ftp server as root or administrator is generally not a good thing."

True, but if you have a sensor in front of an Internet facing FTP server...you WILL see attempts to login with the root/admin account. Having a sig for that is still good and users should be able to choose whether they want alarms. However, I would second a request to have Cisco write a signature to detect successful root/admin ftp logins. Much more meaningful and actionable in my opinion.

Gold

Re: 3171:0/1 Ftp Privledged Login

It looks like Cisco is listening;-)

I haven't tested or even looked at said signatures, but the latest sig update(S276) appears to have a sig to detect successful privileged FTP logins:

5.x,6.x 5847.0 FTP Successful Privileged Login META Low True

5.x,6.x 5847.1 FTP Successful Privileged Login META Low True

Thanks wsulym.

Cisco Employee

Re: 3171:0/1 Ftp Privledged Login

We listen. Have a good weekend. :-)

New Member

Re: 3171:0/1 Ftp Privledged Login

Very nice! :)

New Member

Re: 3171:0/1 Ftp Privledged Login

Looking at signature 5846 (FTP 230 Reply Code) and the regexp "230 [Uu][Ss][Ee][Rr] ".

A FTP server is not enforced to have the string User after a 230 response code.. so this signature will only detect successful logins to some FTP servers :(.

Cisco Employee

Re: 3171:0/1 Ftp Privledged Login

You are correct, per RFC, all that's required is the "230" reply - the rest makes it easy for carbon-based lifeforms to understand and is optional. A more RFC conforming change to that sig will be in the next update.

New Member

Re: 3171:0/1 Ftp Privledged Login

Great :)

Another meta signature that would be useful is something like "FTP Successful brute force". Consisting of signatures 6250 (FTP Auth. Failure) and 5846 (FTP 230 Reply Code) to detect successful brute force attempts.

242
Views
0
Helpful
10
Replies
CreatePlease to create content