• Use Case Reference : SUC020
  • Use Case Title : Potential FTP non anonymous Login and/or Brute-Force attempt
  • Use Case Detection : Firewall / IDS / FTP logs
  • Attacker Class : Opportunists / Targeting Opportunists
  • Attack Sophistication : Unsophisticated / Low
  • Identified tool(s) : Random
  • Source IP(s) : Random
  • Source Countries : Random
  • Source Port(s) : Random
  • Destination Port(s) : 21/TCP

Possible(s) correlation(s) :

  • FTP brute force bot.

Source(s) :

Emerging Threats SIG 2002383 triggers are :

  • The FTP server should return the error code “530” and the string “Login”, or the string “User”, or the string “Failed”, or the string “Not”.
  • The source port should be the port 21 of the HOME_NET FTP server in destination of an EXTERNAL_NET IP.
  • Alerts every 5 occurrences of the event targeting the same EXTERNAL_NET IP during 300 seconds.

Emerging Threats SIG 2003303 triggers are :

  • The string “USER” should be present.
  • The strings “PASS”, “anonymous” or “ftp” shouldn’t not be present.
  • The source IP should be part of EXTERNAL_NET in destination of HOME_NET ftp server on port 21.
  • Alert on every occurrence.
Emerging Threat SIG 2010643 triggers are :
  • The string “USER” should be present.
  • The string “administrator” should be present.
  • The source IP should be part of EXTERNAL_NET in destination of HOME_NET ftp server on port 21.
  • Alerts every 5 occurrences of the event targeting the same EXTERNAL_NET IP during 60 seconds.
SIG 2002383 1 Week events activity

SIG 2002383 1 Week events activity

SIG 2003303 1 Week events activity

SIG 2003303 1 Week events activity

SIG 2010643 1 Week events activity

SIG 2010643 1 Week events activity

SIG 2002383 1 month events activity

SIG 2002383 1 month events activity

SIG 2003303 1 month events activity

SIG 2003303 1 month events activity

SIG 2010643 1 month events activity

SIG 2010643 1 month events activity

1 Month TOP 10 source IPs for SIG 2002383

1 Month TOP 10 source IPs for SIG 2002383

1 Month TOP 10 source IPs for SIG 2003303

1 Month TOP 10 source IPs for SIG 2003303

1 Month TOP 10 source IPs for SIG 2010643

1 Month TOP 10 source IPs for SIG 2010643

TOP 20 source countries for SIG 2002383

TOP 20 source countries for SIG 2002383

TOP 20 source countries for SIG 2003303

TOP 20 source countries for SIG 2003303

TOP 20 source countries for SIG 2010643

TOP 20 source countries for SIG 2010643