FTP on off port sig

>From Reg Quinton:

#by Reg Quinton
alert tcp $HOME_NET !21:902 -> any any
(msg:"BLEEDING-EDGE MALWARE
Suspicious 220 Banner on Local Port";
flow:from_server,established;
content:"220"; pcre:"/220[- ]/";
offset:0; depth:4;
classtype:non-standard-protocol; sid:2003055; rev:1;)

Posted

-- 
--------------------------------------------
Matthew Jonkman, CISSP
Senior Security Engineer
Infotex
765-429-0398 Direct Anytime
765-448-6847 Office
866-679-5177 24x7 NOC
http://my.infotex.com
http://www.infotex.com
http://www.bleedingsnort
.com
--------------------------------------------


_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigsbleedingsnort.com
http://lists.bleedingsnort.com/mailman/listinfo/ble
eding-sigs

On Tue, 2006-07-25 at 19:12 -0400, Matt Jonkman wrote:
> #by Reg Quinton
> alert tcp $HOME_NET !21:902 -> any any
(msg:"BLEEDING-EDGE MALWARE
> Suspicious 220 Banner on Local Port";
flow:from_server,established;
> content:"220"; pcre:"/220[-
]/"; offset:0; depth:4;
> classtype:non-standard-protocol; sid:2003055; rev:1;)
> 
> Posted

This rule seems to be a duplicate of 2001815:
alert tcp $HOME_NET !21:587 -> any any (msg:
"BLEEDING-EDGE Spambot
Suspicious 220 Banner on Local Port"; flow:
established; content:"220 ";
offset: 0; depth: 4; tag: session, 20, packets; classtype:
non-standard-protocol; sid: 2001815; rev:4; )

Perhaps we can combine these. The ports should also be
adjusted to cover
port 20 which we're seeing tons of false positives on.

Maybe we want to retire 2001815 in favor of 2003055? Your
thoughts?

Cheers,
Frank

-- 
It is said that the Internet is a public utility. As such,
it is best
compared to a sewer. A big, fat pipe with a bunch of crap
sloshing
against your ports.

_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigsbleedingsnort.com
http://lists.bleedingsnort.com/mailman/listinfo/ble
eding-sigs