- Use Case Reference : SUC020
- Use Case Title : Potential FTP non anonymous Login and/or Brute-Force attempt
- Use Case Detection : Firewall / IDS / FTP logs
- Attacker Class : Opportunists / Targeting Opportunists
- Attack Sophistication : Unsophisticated / Low
- Identified tool(s) : Random
- Source IP(s) : Random
- Source Countries : Random
- Source Port(s) : Random
- Destination Port(s) : 21/TCP
Possible(s) correlation(s) :
- FTP brute force bot.
Source(s) :
Emerging Threats SIG 2002383 triggers are :
- The FTP server should return the error code “530” and the string “Login”, or the string “User”, or the string “Failed”, or the string “Not”.
- The source port should be the port 21 of the HOME_NET FTP server in destination of an EXTERNAL_NET IP.
- Alerts every 5 occurrences of the event targeting the same EXTERNAL_NET IP during 300 seconds.
Emerging Threats SIG 2003303 triggers are :
- The string “USER” should be present.
- The strings “PASS”, “anonymous” or “ftp” shouldn’t not be present.
- The source IP should be part of EXTERNAL_NET in destination of HOME_NET ftp server on port 21.
- Alert on every occurrence.
Emerging Threat SIG 2010643 triggers are :
- The string “USER” should be present.
- The string “administrator” should be present.
- The source IP should be part of EXTERNAL_NET in destination of HOME_NET ftp server on port 21.
- Alerts every 5 occurrences of the event targeting the same EXTERNAL_NET IP during 60 seconds.
