# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. # # This file contains (i) proprietary rules that were created, tested and certified by # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by # Sourcefire and other third parties (the "GPL Rules") that are distributed under the # GNU General Public License (GPL), v2. # # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a # list of third party owners and their respective copyrights. # # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer # to the VRT Certified Rules License Agreement (v2.0). # #-------------------- # PROTOCOL-FTP RULES #-------------------- # alert tcp $EXTERNAL_NET !80 -> $HOME_NET [1023:65535] (msg:"PROTOCOL-FTP VanDyke AbsoluteFTP LIST command stack buffer overflow attempt"; flow:to_client,established; dsize:>512; content:"-rwxr-xr-x "; isdataat:512,relative; content:!"|0A|"; within:512; metadata:service ftp; reference:bugtraq,50614; reference:cve,2011-5164; classtype:attempted-user; sid:26471; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP Multiple Products FTP MKD buffer overflow attempt"; flow:to_server,established; content:"MKD "; depth:4; isdataat:75,relative; content:!"|0A|"; within:75; metadata:ruleset community, service ftp; reference:bugtraq,11772; reference:bugtraq,15457; reference:bugtraq,23885; reference:bugtraq,39041; reference:bugtraq,612; reference:bugtraq,7278; reference:bugtraq,9872; reference:cve,1999-0911; reference:cve,2004-1135; reference:cve,2005-3683; reference:cve,2007-2586; reference:cve,2009-3023; reference:cve,2010-0625; reference:nessus,12108; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-053; reference:url,www.exploit-db.com/exploits/14399/; reference:url,www.kb.cert.org/vuls/id/276653; classtype:attempted-admin; sid:23055; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP ACCT overflow attempt"; flow:to_server,established; content:"ACCT"; nocase; isdataat:200,relative; pcre:"/^ACCT(?!\n)\s[^\n]{200}/smi"; metadata:service ftp; reference:url,seclists.org/bugtraq/2010/Feb/202; classtype:attempted-admin; sid:18580; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP ProFTPD mod_site_misc module directory traversal attempt"; flow:to_server,established; content:"SITE"; fast_pattern:only; pcre:"/^SITE\s+(MKDIR|RMDIR|SYMLINK|UTIME)[^\r\n]*?\x2F\x2E\x2E\x2F/i"; metadata:service ftp; reference:bugtraq,44562; reference:cve,2010-3867; classtype:attempted-user; sid:18326; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP ProFTPd 1.3.3c backdoor help access attempt"; flow:to_server,established; content:"HELP ACIDBITCHEZ"; fast_pattern:only; metadata:service ftp; reference:url,sourceforge.net/mailarchive/message.php?msg_name=alpine.DEB.2.00.1012011542220.12930%40familiar.castaglia.org; reference:url,xorl.wordpress.com/2010/12/02/news-proftpd-owned-and-backdoored/; classtype:trojan-activity; sid:18182; rev:5;) # alert tcp $HOME_NET any -> 212.26.42.47 9090 (msg:"PROTOCOL-FTP ProFTPd 1.3.3c backdoor activity"; flow:to_server, established; content:"GET /AB HTTP/1.0"; reference:url,sourceforge.net/mailarchive/message.php?msg_name=alpine.DEB.2.00.1012011542220.12930%40familiar.castaglia.org; reference:url,xorl.wordpress.com/2010/12/02/news-proftpd-owned-and-backdoored/; classtype:trojan-activity; sid:18181; rev:3;) # alert tcp $EXTERNAL_NET 21 -> $HOME_NET any (msg:"PROTOCOL-FTP FlashGet PWD command stack buffer overflow attempt"; flow:to_client,established; content:"257|20|"; pcre:"/^257\x20\S{257,}\x20/mi"; metadata:policy max-detect-ips drop, service ftp; reference:bugtraq,30685; reference:cve,2008-4321; classtype:attempted-user; sid:17518; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP Vermillion 1.31 vftpd port command memory corruption"; flow:to_server,established; content:"PORT"; depth:4; isdataat:50,relative; content:!"|0A|"; within:50; metadata:service ftp; reference:url,www.exploit-db.com/exploits/11293; reference:url,www.global-evolution.info/news/files/vftpd/vftpd.txt; classtype:misc-attack; sid:17059; rev:5;) # alert tcp any any -> any 21 (msg:"PROTOCOL-FTP httpdx PASS null byte denial of service"; flow:established,to_server; content:"PASS"; nocase; pcre:"/PASS\s{0,2}\x00/ims"; metadata:service ftp; reference:url,secunia.com/advisories/38933; reference:url,www.exploit-db.com/exploits/11734; classtype:attempted-dos; sid:16698; rev:3;) # alert tcp any any -> any 21 (msg:"PROTOCOL-FTP httpdx USER null byte denial of service"; flow:established,to_server; content:"USER"; nocase; pcre:"/USER\s{0,2}\x00/ims"; metadata:service ftp; reference:url,secunia.com/advisories/38933; reference:url,www.exploit-db.com/exploits/11734; classtype:attempted-dos; sid:16697; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP multiple extension code execution attempt"; flow:established,to_server; content:"STOR"; depth:4; nocase; content:".asp|3B|."; distance:0; nocase; pcre:"/^STOR[^\n]+\.asp\x3B\./smi"; metadata:service ftp; reference:cve,2009-4444; classtype:web-application-attack; sid:16357; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP LIST globbing denial of service attack"; flow:to_server,established; content:"ST -R"; nocase; content:"*/.."; within:20; distance:1; metadata:service ftp; reference:cve,2009-2521; reference:url,technet.microsoft.com/en-us/security/advisory/975191; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-053; classtype:attempted-dos; sid:15932; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP Ipswitch Ws_ftp XMD5 overflow attempt"; flow:to_server,established; content:"XMD5"; nocase; isdataat:200,relative; pcre:"/^XMD5(?!\n)\s[^\n]{200}/smi"; metadata:policy max-detect-ips drop, service ftp; reference:bugtraq,20076; reference:cve,2006-4847; reference:cve,2006-5000; classtype:attempted-admin; sid:10188; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP PASV overflow attempt"; flow:to_server,established; content:"PASV"; nocase; isdataat:493,relative; pcre:"/^PASV(?!\n)\s[^\n]{493}/smi"; metadata:service ftp; reference:url,www.milw0rm.com/exploits/2952; classtype:attempted-admin; sid:9792; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP WZD-FTPD SITE arbitrary command execution attempt"; flow:established,to_server; content:"SITE"; fast_pattern:only; pcre:"/^SITE\s*(\w+\s*)+\x7c/smi"; metadata:service ftp; reference:bugtraq,14935; reference:cve,2005-3081; classtype:attempted-admin; sid:8707; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP Microsoft NLST * dos attempt"; flow:to_server,established; content:"NLST"; fast_pattern:only; pcre:"/^NLST\s+[^\n]*\x2a{10}/smi"; metadata:service ftp; reference:bugtraq,2717; reference:cve,2001-0334; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-026; classtype:attempted-dos; sid:8481; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP HELP overflow attempt"; flow:to_server,established; content:"HELP"; nocase; isdataat:200,relative; pcre:"/^HELP(?!\n)\s[^\n]{200}/smi"; metadata:service ftp; reference:bugtraq,2972; reference:cve,2001-0826; classtype:attempted-admin; sid:8479; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP SIZE overflow attempt"; flow:to_server,established; content:"SIZE"; nocase; isdataat:500,relative; pcre:"/^SIZE\s[\x2F\x5C][^\x0a]{500}/smi"; metadata:service ftp; reference:bugtraq,19617; reference:cve,2006-4318; classtype:attempted-admin; sid:8415; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP SITE INDEX format string attempt"; flow:to_server,established; content:"SITE"; nocase; content:"INDEX"; distance:0; nocase; pcre:"/^SITE\s+INDEX\s[^\n]*?%[^\n]*?%/smi"; metadata:service ftp; reference:bugtraq,1387; reference:cve,2000-0573; classtype:bad-unknown; sid:3523; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP REST with numeric argument"; flow:to_server,established; content:"REST"; fast_pattern:only; pcre:"/REST\s+[0-9]+\n/i"; metadata:ruleset community, service ftp; reference:bugtraq,7825; classtype:attempted-recon; sid:3460; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP RNFR overflow attempt"; flow:to_server,established; content:"RNFR"; nocase; isdataat:200,relative; pcre:"/^RNFR\s[^\n]{200}/smi"; metadata:ruleset community, service ftp; reference:bugtraq,14339; classtype:attempted-admin; sid:3077; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP RETR format string attempt"; flow:to_server,established; content:"RETR"; fast_pattern:only; pcre:"/^RETR\s[^\n]*?%[^\n]*?%/smi"; metadata:ruleset community, service ftp; reference:bugtraq,9800; reference:cve,2004-1883; classtype:attempted-admin; sid:2574; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP MDTM overflow attempt"; flow:to_server,established; content:"MDTM"; nocase; isdataat:100,relative; pcre:"/^MDTM(?!\n)\s[^\n]{100}/smi"; metadata:ruleset community, service ftp; reference:bugtraq,9751; reference:cve,2001-1021; reference:cve,2004-0330; reference:nessus,12080; classtype:attempted-admin; sid:2546; rev:14;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP ALLO overflow attempt"; flow:to_server,established; content:"ALLO"; nocase; isdataat:200,relative; pcre:"/^ALLO(?!\n)\s[^\n]{200}/smi"; metadata:ruleset community, service ftp; reference:bugtraq,9953; reference:cve,2004-1883; reference:nessus,14598; classtype:attempted-admin; sid:2449; rev:12;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP format string attempt"; flow:to_server,established; content:"%"; fast_pattern:only; pcre:"/\s+.*?%.*?%/smi"; metadata:ruleset community, service ftp; reference:bugtraq,15352; reference:bugtraq,30993; reference:bugtraq,9800; reference:cve,2002-2074; reference:cve,2007-1195; reference:cve,2009-4769; classtype:string-detect; sid:2417; rev:17;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP invalid MDTM command attempt"; flow:to_server,established; content:"MDTM"; fast_pattern:only; pcre:"/^MDTM \d+[-+]\D/smi"; metadata:ruleset community, service ftp; reference:bugtraq,9751; reference:cve,2001-1021; reference:cve,2004-0330; classtype:attempted-admin; sid:2416; rev:13;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP APPE overflow attempt"; flow:to_server,established; content:"APPE"; nocase; isdataat:200,relative; pcre:"/^APPE(?!\n)\s[^\n]{200}/smi"; metadata:ruleset community, service ftp; reference:bugtraq,8315; reference:bugtraq,8542; reference:cve,2000-0133; reference:cve,2003-0466; reference:cve,2003-0772; classtype:attempted-admin; sid:2391; rev:17;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP STOU overflow attempt"; flow:to_server,established; content:"STOU"; nocase; isdataat:200,relative; pcre:"/^STOU\s[^\n]{200}/smi"; metadata:ruleset community, service ftp; reference:bugtraq,8315; reference:cve,2003-0466; classtype:attempted-admin; sid:2390; rev:12;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP NLST overflow attempt"; flow:to_server,established; content:"NLST"; nocase; isdataat:200,relative; pcre:"/^NLST(?!\n)\s[^\n]{200}/smi"; metadata:ruleset community, service ftp; reference:bugtraq,7909; reference:cve,1999-1544; reference:cve,2009-3023; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-053; reference:url,www.kb.cert.org/vuls/id/276653; classtype:attempted-admin; sid:2374; rev:19;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP XMKD overflow attempt"; flow:to_server,established; content:"XMKD"; nocase; isdataat:200,relative; pcre:"/^XMKD(?!\n)\s[^\n]{200}/smi"; metadata:ruleset community, service ftp; reference:bugtraq,7909; reference:cve,2000-0133; reference:cve,2001-1021; classtype:attempted-admin; sid:2373; rev:13;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP XCWD overflow attempt"; flow:to_server,established; content:"XCWD"; nocase; isdataat:100,relative; pcre:"/^XCWD(?!\n)\s[^\n]{100}/smi"; metadata:ruleset community, service ftp; reference:bugtraq,11542; reference:bugtraq,8704; reference:cve,2004-2728; classtype:attempted-admin; sid:2344; rev:12;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP STOR overflow attempt"; flow:to_server,established; content:"STOR"; nocase; isdataat:200,relative; content:!"|0D|"; within:200; content:!"|0A|"; within:200; content:!"|00|"; within:200; metadata:ruleset community, service ftp; reference:bugtraq,8668; reference:cve,2000-0133; reference:url,exploit-db.com/exploits/39662/; classtype:attempted-admin; sid:2343; rev:14;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP SITE CHMOD overflow attempt"; flow:to_server,established; content:"SITE"; nocase; content:"CHMOD"; distance:0; nocase; isdataat:200,relative; pcre:"/^SITE\s+CHMOD\s[^\n]{200}/smi"; metadata:ruleset community, service ftp; reference:bugtraq,10181; reference:bugtraq,9483; reference:bugtraq,9675; reference:cve,1999-0838; reference:nessus,12037; classtype:attempted-admin; sid:2340; rev:15;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 3535 (msg:"PROTOCOL-FTP RMD / attempt"; flow:to_server,established; content:"RMD"; fast_pattern:only; pcre:"/^RMD\s+\x2f$/smi"; metadata:ruleset community; reference:bugtraq,9159; classtype:attempted-dos; sid:2335; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 3535 (msg:"PROTOCOL-FTP Yak! FTP server default account login attempt"; flow:to_server,established; content:"USER"; nocase; content:"y049575046"; fast_pattern:only; pcre:"/^USER\s+y049575046/smi"; metadata:ruleset community; reference:bugtraq,9072; reference:url,attack.mitre.org/techniques/T1078; classtype:suspicious-login; sid:2334; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP RENAME format string attempt"; flow:to_server,established; content:"RENAME"; fast_pattern:only; pcre:"/^RENAME\s[^\n]*?%[^\n]*?%/smi"; metadata:ruleset community, service ftp; reference:bugtraq,9262; classtype:misc-attack; sid:2333; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP MKD format string attempt"; flow:to_server,established; content:"MKD"; fast_pattern:only; pcre:"/^MKD\s[^\n]*?%[^\n]*?%/smi"; metadata:ruleset community, service ftp; reference:bugtraq,9262; classtype:misc-attack; sid:2332; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP LIST integer overflow attempt"; flow:to_server,established; content:"LIST"; fast_pattern:only; pcre:"/^LIST\s+\x22-W\s+\d+/smi"; metadata:ruleset community, service ftp; reference:bugtraq,8875; reference:cve,2003-0853; reference:cve,2003-0854; reference:nessus,11912; classtype:misc-attack; sid:2272; rev:13;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP PASS format string attempt"; flow:to_server,established; content:"PASS"; fast_pattern:only; pcre:"/^PASS\s[^\n]*?%[^\n]*?%/smi"; metadata:ruleset community, service ftp; reference:bugtraq,7474; reference:bugtraq,9262; reference:bugtraq,9800; reference:cve,2000-0699; reference:cve,2007-1195; reference:nessus,10490; classtype:misc-attack; sid:2179; rev:16;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP USER format string attempt"; flow:to_server,established; content:"USER"; fast_pattern:only; pcre:"/^USER\s[^\n]*?%[^\n]*?%/smi"; metadata:ruleset community, service ftp; reference:bugtraq,7474; reference:bugtraq,7776; reference:bugtraq,9262; reference:bugtraq,9402; reference:bugtraq,9600; reference:bugtraq,9800; reference:cve,2004-0277; reference:nessus,10041; reference:nessus,11687; classtype:misc-attack; sid:2178; rev:23;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP CWD Root directory traversal attempt"; flow:to_server,established; content:"CWD"; nocase; content:"C|3A 5C|"; distance:1; metadata:ruleset community, service ftp; reference:bugtraq,7674; reference:cve,2003-0392; reference:nessus,11677; classtype:protocol-command-decode; sid:2125; rev:15;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP LIST directory traversal attempt"; flow:to_server,established; content:"LIST"; nocase; content:".."; distance:1; content:".."; distance:1; metadata:ruleset community, service ftp; reference:bugtraq,2618; reference:cve,2001-0680; reference:cve,2002-1054; reference:nessus,11112; classtype:protocol-command-decode; sid:1992; rev:14;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP REST overflow attempt"; flow:to_server,established; content:"REST"; nocase; isdataat:100,relative; pcre:"/^REST(?!\n)\s[^\n]{100}/smi"; metadata:ruleset community, service ftp; reference:bugtraq,2972; reference:cve,2001-0826; reference:nessus,11755; classtype:attempted-admin; sid:1974; rev:15;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP SITE EXEC format string attempt"; flow:to_server,established; content:"SITE"; nocase; content:"EXEC"; distance:0; nocase; pcre:"/^SITE\s+EXEC\s[^\n]*?%[^\n]*?%/smi"; metadata:ruleset community, service ftp; reference:bugtraq,1387; reference:bugtraq,1505; reference:cve,2000-0573; classtype:bad-unknown; sid:1971; rev:13;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP RMDIR overflow attempt"; flow:to_server,established; content:"RMDIR"; nocase; isdataat:100,relative; pcre:"/^RMDIR(?!\n)\s[^\n]{100}/smi"; metadata:ruleset community, service ftp; reference:bugtraq,819; classtype:attempted-admin; sid:1942; rev:13;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP shadow retrieval attempt"; flow:to_server,established; content:"RETR"; nocase; content:"shadow"; pcre:"/^RETR[^\n]*shadow$/smi"; metadata:ruleset community, service ftp; classtype:suspicious-filename-detect; sid:1928; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP authorized_keys"; flow:to_server,established; content:"authorized_keys"; fast_pattern:only; metadata:ruleset community, service ftp; classtype:suspicious-filename-detect; sid:1927; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP SITE ZIPCHK overflow attempt"; flow:to_server,established; content:"SITE"; nocase; content:"ZIPCHK"; distance:1; nocase; isdataat:100,relative; pcre:"/^SITE\s+ZIPCHK\s[^\n]{100}/smi"; metadata:ruleset community, service ftp; reference:cve,2000-0040; classtype:attempted-admin; sid:1921; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP SITE NEWER overflow attempt"; flow:to_server,established; content:"SITE"; nocase; content:"NEWER"; distance:0; nocase; isdataat:100,relative; pcre:"/^SITE\s+NEWER\s[^\n]{100}/smi"; metadata:ruleset community, service ftp; reference:bugtraq,229; reference:cve,1999-0800; classtype:attempted-admin; sid:1920; rev:13;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP CWD overflow attempt"; flow:to_server,established; content:"CWD"; nocase; isdataat:180,relative; pcre:"/^CWD(?!\n)\s[^\n]{180}/smi"; metadata:ruleset community, service ftp; reference:bugtraq,11069; reference:bugtraq,1227; reference:bugtraq,1690; reference:bugtraq,6869; reference:bugtraq,7251; reference:bugtraq,7950; reference:cve,1999-0219; reference:cve,1999-1058; reference:cve,1999-1510; reference:cve,2000-1035; reference:cve,2000-1194; reference:cve,2001-0781; reference:cve,2002-0126; reference:cve,2002-0405; classtype:attempted-admin; sid:1919; rev:31;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP SITE CPWD overflow attempt"; flow:established,to_server; content:"SITE"; nocase; content:"CPWD"; distance:0; nocase; isdataat:100,relative; pcre:"/^SITE\s+CPWD\s[^\n]{100}/smi"; metadata:ruleset community, service ftp; reference:bugtraq,5427; reference:cve,2002-0826; classtype:misc-attack; sid:1888; rev:14;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP SITE NEWER attempt"; flow:to_server,established; content:"SITE"; nocase; content:"NEWER"; distance:1; nocase; pcre:"/^SITE\s+NEWER/smi"; metadata:ruleset community, service ftp; reference:cve,1999-0880; reference:nessus,10319; classtype:attempted-dos; sid:1864; rev:13;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP EXPLOIT STAT ? dos attempt"; flow:to_server,established; content:"STAT"; fast_pattern:only; pcre:"/^STAT\s+[^\n]*\x3f/smi"; metadata:ruleset community, service ftp; reference:bugtraq,4482; reference:cve,2002-0073; reference:nessus,10934; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-018; classtype:attempted-dos; sid:1778; rev:18;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP EXPLOIT STAT asterisk dos attempt"; flow:to_server,established; content:"STAT"; fast_pattern:only; pcre:"/^STAT\s+[^\n]*\x2a/smi"; metadata:ruleset community, service ftp; reference:bugtraq,4482; reference:cve,2002-0073; reference:nessus,10934; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-018; classtype:attempted-dos; sid:1777; rev:19;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP SYST overflow attempt"; flow:to_server,established; content:"SYST"; nocase; isdataat:100,relative; pcre:"/^SYST(?!\n)\s[^\n]{100}/smi"; metadata:ruleset community, service ftp; reference:url,www.faqs.org/rfcs/rfc959.html; classtype:protocol-command-decode; sid:1625; rev:14;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP PWD overflow attempt"; flow:to_server,established; content:"PWD"; nocase; isdataat:190,relative; pcre:"/^PWD\s.{190}/smi"; metadata:ruleset community, service ftp; classtype:protocol-command-decode; sid:1624; rev:18;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP invalid MODE"; flow:to_server,established; content:"MODE"; fast_pattern:only; pcre:"/^MODE\s+[^ABSC]{1}/msi"; metadata:ruleset community, service ftp; reference:url,www.faqs.org/rfcs/rfc959.html; classtype:protocol-command-decode; sid:1623; rev:14;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP RNFR ././ attempt"; flow:to_server,established; content:"RNFR "; fast_pattern:only; content:" ././"; metadata:ruleset community, service ftp; reference:cve,1999-0081; classtype:misc-attack; sid:1622; rev:14;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP CMD overflow attempt"; flow:to_server,established; content:"CMD"; nocase; isdataat:200,relative; pcre:"/^CMD(?!\n)\s[^\n]{200}/smi"; metadata:ruleset community, service ftp; classtype:attempted-admin; sid:1621; rev:20;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP SITE CHOWN overflow attempt"; flow:to_server,established; content:"SITE"; nocase; content:"CHOWN"; distance:0; nocase; isdataat:100,relative; pcre:"/^SITE\s+CHOWN\s[^\n]{100}/smi"; metadata:ruleset community, service ftp; reference:bugtraq,2120; reference:cve,2001-0065; reference:nessus,10579; classtype:attempted-admin; sid:1562; rev:18;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP SITE overflow attempt"; flow:to_server,established; content:"SITE"; nocase; isdataat:100,relative; pcre:"/^SITE(?!\n)\s[^\n]{100}/smi"; metadata:ruleset community, service ftp; reference:cve,1999-0838; reference:cve,2001-0755; reference:cve,2001-0770; classtype:attempted-admin; sid:1529; rev:17;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP STAT overflow attempt"; flow:to_server,established; content:"STAT"; nocase; isdataat:190,relative; pcre:"/^STAT(?!\n)\s[^\n]{190}/mi"; metadata:ruleset community, service ftp; reference:bugtraq,3507; reference:bugtraq,8542; reference:cve,2001-0325; reference:cve,2001-1021; reference:cve,2003-0772; reference:cve,2011-0762; reference:url,labs.defcom.com/adv/2001/def-2001-31.txt; classtype:attempted-admin; sid:1379; rev:23;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP wu-ftp bad file completion attempt"; flow:to_server,established; content:"~"; content:"{"; distance:0; metadata:ruleset community, service ftp; reference:bugtraq,3581; reference:bugtraq,3707; reference:cve,2001-0550; reference:cve,2001-0886; reference:nessus,10821; classtype:misc-attack; sid:1378; rev:23;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP wu-ftp bad file completion attempt"; flow:to_server,established; content:"~"; content:"["; distance:0; metadata:ruleset community, service ftp; reference:bugtraq,3581; reference:bugtraq,3707; reference:cve,2001-0550; reference:cve,2001-0886; reference:nessus,10821; classtype:misc-attack; sid:1377; rev:23;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP CWD ..."; flow:to_server,established; content:"CWD"; nocase; content:"..."; distance:0; pcre:"/^CWD\s[^\n]*?\.\.\./smi"; metadata:ruleset community, service ftp; reference:bugtraq,9237; classtype:bad-unknown; sid:1229; rev:13;) # alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"PROTOCOL-FTP Bad login"; flow:to_client,established; content:"530 "; fast_pattern:only; pcre:"/^530\s+(Login|User)/smi"; metadata:ruleset community, service ftp; classtype:bad-unknown; sid:491; rev:15;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP tar parameters"; flow:to_server,established; content:" --use-compress-program "; fast_pattern:only; metadata:ruleset community, service ftp; reference:bugtraq,2240; reference:cve,1999-0202; reference:cve,1999-0997; classtype:bad-unknown; sid:362; rev:20;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP SITE EXEC attempt"; flow:to_server,established; content:"SITE"; nocase; content:"EXEC"; distance:0; nocase; pcre:"/^SITE\s+EXEC/smi"; metadata:ruleset community, service ftp; reference:bugtraq,2241; reference:cve,1999-0080; reference:cve,1999-0955; classtype:bad-unknown; sid:361; rev:22;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP serv-u directory traversal"; flow:to_server,established; content:".%20."; fast_pattern:only; metadata:ruleset community, service ftp; reference:bugtraq,2052; reference:cve,2001-0054; reference:nessus,10565; classtype:bad-unknown; sid:360; rev:16;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP satan scan"; flow:to_server,established; content:"pass -satan"; fast_pattern:only; metadata:ruleset community, service ftp; classtype:suspicious-login; sid:359; rev:12;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP saint scan"; flow:to_server,established; content:"pass -saint"; fast_pattern:only; metadata:ruleset community, service ftp; classtype:suspicious-login; sid:358; rev:12;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP piss scan"; flow:to_server,established; content:"pass -cklaus"; fast_pattern:only; metadata:ruleset community, service ftp; reference:url,www.mines.edu/fs_home/dlarue/cc/baby-doe.html; classtype:suspicious-login; sid:357; rev:12;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP passwd retrieval attempt"; flow:to_server,established; content:"RETR"; nocase; content:"passwd"; metadata:ruleset community, service ftp; classtype:suspicious-filename-detect; sid:356; rev:12;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP pass wh00t"; flow:to_server,established; content:"pass wh00t"; fast_pattern:only; metadata:ruleset community, service ftp; classtype:suspicious-login; sid:355; rev:13;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP iss scan"; flow:to_server,established; content:"pass -iss@iss"; fast_pattern:only; metadata:ruleset community, service ftp; classtype:suspicious-login; sid:354; rev:12;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP adm scan"; flow:to_server,established; content:"PASS ddd@|0A|"; fast_pattern:only; metadata:ruleset community, service ftp; classtype:suspicious-login; sid:353; rev:13;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP CEL overflow attempt"; flow:to_server,established; content:"CEL"; nocase; isdataat:100,relative; pcre:"/^CEL(?!\n)\s[^\n]{100}/smi"; metadata:ruleset community, service ftp; reference:bugtraq,679; reference:cve,1999-0789; reference:nessus,10009; classtype:attempted-admin; sid:337; rev:21;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP CWD ~root attempt"; flow:to_server,established; content:"CWD"; nocase; content:"~root"; distance:1; nocase; pcre:"/^CWD\s+~root/smi"; metadata:ruleset community, service ftp; reference:cve,1999-0082; classtype:bad-unknown; sid:336; rev:17;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP .forward"; flow:to_server,established; content:".forward"; metadata:ruleset community, service ftp; classtype:suspicious-filename-detect; sid:334; rev:12;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP ADMw0rm ftp login attempt"; flow:to_server,established; content:"USER"; nocase; content:"w0rm"; distance:1; nocase; pcre:"/^USER\s+w0rm/smi"; metadata:ruleset community, service ftp; classtype:suspicious-login; sid:144; rev:16;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORTS (msg:"PROTOCOL-FTP CoreFTP FTP Server TYPE command denial of service attempt"; flow:to_server,established; content:"TYPE"; fast_pattern:only; pcre:"/^TYPE\s+?\w{210}/smi"; metadata:service ftp; reference:bugtraq,67613; classtype:attempted-dos; sid:31128; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORTS (msg:"PROTOCOL-FTP ProFTPD mod_copy remote code execution attempt"; flow:to_server,established; content:"SITE"; depth:4; nocase; content:"CPFR"; within:4; distance:1; nocase; content:"/proc/"; distance:0; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp; reference:bugtraq,74238; reference:cve,2015-3306; classtype:attempted-admin; sid:34225; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP Ipswitch Ws_ftp XCRC overflow attempt"; flow:to_server,established; content:"XCRC"; nocase; isdataat:200,relative; pcre:"/^XCRC(?!\n)\s[^\n]{200}/smi"; metadata:policy max-detect-ips drop, service ftp; reference:bugtraq,20076; reference:cve,2006-4847; classtype:attempted-admin; sid:18588; rev:9;) # alert tcp $EXTERNAL_NET [20,1024:] -> $HOME_NET [20,1024:] (msg:"PROTOCOL-FTP Computer Associates eTrust Secure Content Manager LIST stack overflow attempt"; flow:established; stream_size:either,>,12800; content:"4096"; fast_pattern:only; pcre:"/[D\x2D][RWX\x2D]{9}\s+\w+\s+\w+\s+\w+\s+4096/i"; metadata:policy max-detect-ips drop, service ftp; reference:bugtraq,29528; reference:cve,2008-2541; classtype:attempted-user; sid:18575; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP EPRT overflow attempt"; flow:established,to_server; content:"EPRT "; nocase; isdataat:128,relative; pcre:"/^EPRT\x20[^\n]{128}/smi"; metadata:policy max-detect-ips drop, service ftp; reference:bugtraq,15998; reference:cve,2005-4459; classtype:attempted-admin; sid:17329; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP ProFTPD username sql injection attempt"; flow:to_server, established; content:"|25 27|"; fast_pattern:only; content:"USER"; pcre:"/USER\s*[^\x0d]+\x25\x27/smi"; metadata:policy max-detect-ips drop, service ftp; reference:bugtraq,33722; reference:cve,2009-0542; reference:url,attack.mitre.org/techniques/T1190; classtype:attempted-admin; sid:16524; rev:10;) # alert tcp $EXTERNAL_NET 21 -> $HOME_NET any (msg:"PROTOCOL-FTP Ipswitch WS_FTP client format string attempt"; flow:to_client,established; content:"%"; fast_pattern:only; pcre:"/^(\d{3}\x20)?\S*\x25\w/i"; metadata:policy max-detect-ips drop, service ftp; reference:bugtraq,30720; reference:cve,2008-3734; classtype:attempted-user; sid:14770; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP RNTO directory traversal attempt"; flow:to_server,established; content:"RNTO"; depth:4; nocase; pcre:"/^rnto\s[^\s\x0d\x0a]*\x2e\x2e(\x2f|\x5c)/i"; metadata:policy max-detect-ips drop, service ftp; reference:bugtraq,31563; reference:cve,2008-4501; classtype:suspicious-filename-detect; sid:14743; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-FTP Computer Associates eTrust Secure Content Manager PASV stack overflow attempt"; flow:to_client,established; content:"227"; depth:3; pcre:"/\x28((\d{4,}|[3-9]\d\d|2[6-9]\d|25[7-9]),\d+,\d+,\d+|\d+,(\d{4,}|[3-9]\d\d|2[6-9]\d|25[7-9]),\d+,\d+|\d+,\d+,(\d{4,}|[3-9]\d\d|2[6-9]\d|25[7-9]),\d+|\d+,\d+,\d+(\d{4,}|[3-9]\d\d|2[6-9]\d|25[7-9])),\d+,\d+\x29/"; metadata:policy max-detect-ips drop, service ftp; reference:bugtraq,29528; reference:cve,2008-2541; classtype:attempted-user; sid:13925; rev:12;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP PORT overflow attempt"; flow:to_server,established; content:"PORT "; nocase; isdataat:400,relative; pcre:"/^PORT\x20[^\n]{400}/smi"; metadata:policy max-detect-ips drop, service ftp; reference:bugtraq,15998; reference:bugtraq,18711; reference:cve,2005-4459; reference:cve,2006-2226; classtype:attempted-admin; sid:8480; rev:12;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP PORT bounce attempt"; flow:to_server,established; content:"PORT"; nocase; ftpbounce; pcre:"/^PORT/smi"; metadata:policy max-detect-ips drop, ruleset community, service ftp; reference:bugtraq,126; reference:cve,1999-0017; reference:nessus,10081; classtype:misc-attack; sid:3441; rev:13;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP RETR overflow attempt"; flow:to_server,established; content:"RETR"; nocase; isdataat:200,relative; pcre:"/^RETR(?!\n)\s[^\n]{200}/smi"; metadata:policy max-detect-ips drop, ruleset community, service ftp; reference:bugtraq,15457; reference:bugtraq,23168; reference:bugtraq,8315; reference:cve,2003-0466; reference:cve,2004-0287; reference:cve,2004-0298; reference:cve,2005-3683; classtype:attempted-admin; sid:2392; rev:22;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP RNTO overflow attempt"; flow:to_server,established; content:"RNTO"; nocase; isdataat:200,relative; pcre:"/^RNTO(?!\n)\s[^\n]{200}/smi"; metadata:policy max-detect-ips drop, ruleset community, service ftp; reference:bugtraq,15457; reference:bugtraq,8315; reference:cve,2000-0133; reference:cve,2001-1021; reference:cve,2003-0466; reference:cve,2005-3683; classtype:attempted-admin; sid:2389; rev:21;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP LIST buffer overflow attempt"; flow:to_server,established; content:"LIST"; nocase; isdataat:128,relative; pcre:"/^LIST(?!\n)\s[^\n]{128}/smi"; metadata:policy max-detect-ips drop, ruleset community, service ftp; reference:bugtraq,10181; reference:bugtraq,14339; reference:bugtraq,33454; reference:bugtraq,58247; reference:bugtraq,6869; reference:bugtraq,7251; reference:bugtraq,7861; reference:bugtraq,8486; reference:bugtraq,9675; reference:cve,1999-0349; reference:cve,1999-1510; reference:cve,2000-0129; reference:cve,2004-1992; reference:cve,2005-2373; reference:cve,2007-0019; reference:cve,2009-0351; reference:url,technet.microsoft.com/en-us/security/bulletin/MS99-003; classtype:misc-attack; sid:2338; rev:35;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP RMD overflow attempt"; flow:to_server,established; content:"RMD"; nocase; isdataat:100,relative; pcre:"/^RMD(?!\n)\s[^\n]{100}/smi"; metadata:policy max-detect-ips drop, ruleset community, service ftp; reference:bugtraq,15457; reference:bugtraq,2972; reference:bugtraq,39041; reference:cve,2000-0133; reference:cve,2001-0826; reference:cve,2001-1021; reference:cve,2005-3683; reference:cve,2010-0625; classtype:attempted-admin; sid:1976; rev:23;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP DELE overflow attempt"; flow:to_server,established; content:"DELE"; nocase; isdataat:100,relative; pcre:"/^DELE(?!\n)\s[^\n]{100}/mi"; metadata:policy max-detect-ips drop, ruleset community, service ftp; reference:bugtraq,15457; reference:bugtraq,2972; reference:bugtraq,46922; reference:cve,2001-0826; reference:cve,2001-1021; reference:cve,2005-3683; reference:cve,2010-4228; reference:nessus,11755; classtype:attempted-admin; sid:1975; rev:27;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP MKD overflow attempt"; flow:to_server,established; content:"MKD"; nocase; isdataat:150,relative; pcre:"/^MKD(?!\n)\s[^\n]{150}/smi"; metadata:policy max-detect-ips drop, ruleset community, service ftp; reference:bugtraq,11772; reference:bugtraq,15457; reference:bugtraq,39041; reference:bugtraq,612; reference:bugtraq,7278; reference:bugtraq,9872; reference:cve,1999-0911; reference:cve,2004-1135; reference:cve,2005-3683; reference:cve,2009-3023; reference:cve,2010-0625; reference:nessus,12108; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-053; reference:url,www.kb.cert.org/vuls/id/276653; classtype:attempted-admin; sid:1973; rev:31;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP PASS overflow attempt"; flow:to_server,established; content:"PASS"; nocase; isdataat:100,relative; pcre:"/^PASS(?!\n)\s[^\n]{100}/smi"; metadata:policy max-detect-ips drop, ruleset community, service ftp; reference:bugtraq,10078; reference:bugtraq,10720; reference:bugtraq,15457; reference:bugtraq,1690; reference:bugtraq,22045; reference:bugtraq,3884; reference:bugtraq,45957; reference:bugtraq,8601; reference:bugtraq,9285; reference:cve,1999-1519; reference:cve,1999-1539; reference:cve,2000-1035; reference:cve,2002-0126; reference:cve,2002-0895; reference:cve,2005-3683; reference:cve,2006-6576; classtype:attempted-admin; sid:1972; rev:32;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP USER overflow attempt"; flow:to_server,established; content:"USER"; nocase; isdataat:100,relative; pcre:"/^USER(?!\n)\s[^\n]{100}/smi"; metadata:policy max-detect-ips drop, ruleset community, service ftp; reference:bugtraq,10078; reference:bugtraq,10720; reference:bugtraq,1227; reference:bugtraq,1504; reference:bugtraq,15352; reference:bugtraq,1690; reference:bugtraq,22044; reference:bugtraq,22045; reference:bugtraq,4638; reference:bugtraq,49750; reference:bugtraq,7307; reference:bugtraq,8376; reference:cve,1999-1510; reference:cve,1999-1514; reference:cve,1999-1519; reference:cve,1999-1539; reference:cve,2000-0479; reference:cve,2000-0656; reference:cve,2000-0761; reference:cve,2000-0943; reference:cve,2000-1194; reference:cve,2001-0256; reference:cve,2001-0794; reference:cve,2001-0826; reference:cve,2002-0126; reference:cve,2002-1522; reference:cve,2003-0271; reference:cve,2004-0286; reference:cve,2004-0695; reference:cve,2005-3683; classtype:attempted-admin; sid:1734; rev:50;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP CWD ~ attempt"; flow:to_server,established; content:"CWD"; fast_pattern:only; pcre:"/^CWD\s+~/smi"; metadata:policy max-detect-ips drop, ruleset community, service ftp; reference:bugtraq,2601; reference:bugtraq,9215; reference:cve,2001-0421; classtype:denial-of-service; sid:1672; rev:22;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP no password"; flow:to_server,established; content:"PASS"; fast_pattern:only; pcre:"/^PASS\s*\n/smi"; metadata:policy max-detect-ips drop, ruleset community, service ftp; classtype:unknown; sid:489; rev:19;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP .rhosts"; flow:to_server,established; content:".rhosts"; metadata:policy max-detect-ips drop, ruleset community, service ftp; classtype:suspicious-filename-detect; sid:335; rev:16;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-FTP Computer Associates eTrust Secure Content Manager LIST stack overflow attempt"; flow:to_server,established; content:"testAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp; reference:bugtraq,29528; reference:cve,2008-2541; classtype:attempted-user; sid:37934; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP PUT overflow attempt"; flow:to_server,established; content:"PUT "; nocase; isdataat:200,relative; content:!"|0D|"; within:200; content:!"|0A|"; within:200; content:!"|00|"; within:200; metadata:service ftp; reference:url,exploit-db.com/exploits/39662/; classtype:attempted-admin; sid:39378; rev:1;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORTS (msg:"PROTOCOL-FTP z/OS FTP Job Entry Subsystem JCL execution attempt"; flow:to_server,established; content:"site file=jes"; fast_pattern:only; nocase; metadata:service ftp; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/mainframe/ftp/ftp_jcl_creds.rb; classtype:policy-violation; sid:40355; rev:1;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP Easy File Sharing FTP server directory traversal attempt"; flow:to_server,established; content:"RETR|20|"; content:"../"; within:20; pcre:"/retr[^&]*?\x2e\x2e\x2f/i"; metadata:policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,96944; reference:cve,2017-6510; classtype:attempted-admin; sid:42862; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP WS-FTP REST command overly large file creation attempt"; flow:to_server,established; content:"REST "; byte_test:10,>,1000000000, 0, relative, string, dec; metadata:service ftp; reference:bugtraq,9953; reference:cve,2004-1848; classtype:attempted-dos; sid:43239; rev:1;) # alert tcp $EXTERNAL_NET 21 -> $HOME_NET any (msg:"PROTOCOL-FTP Multiple products FTP Client buffer overflow attempt"; flow:to_client,established; content:"|41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41|"; depth:16; content:!"|0D|"; depth:1500; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp; reference:bugtraq,101602; reference:cve,2017-15222; reference:url,www.exploit-db.com/exploits/43025/; reference:url,www.exploit-db.com/exploits/43236/; classtype:attempted-user; sid:45461; rev:2;) # alert tcp $EXTERNAL_NET 21 -> $HOME_NET any (msg:"PROTOCOL-FTP Multiple products FTP Client buffer overflow attempt"; flow:to_client,established; content:"|20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20|"; depth:16; content:!"|0D|"; within:1500; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp; reference:cve,2017-15222; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/ftp/ayukov_nftp.rb; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/ftp/labf_nfsaxe.rb; classtype:attempted-user; sid:45460; rev:3;) # alert tcp $EXTERNAL_NET 21 -> $HOME_NET any (msg:"PROTOCOL-FTP LabF nfsAxe FTP Client buffer overflow attempt"; flow:to_client,established; content:"220"; depth:3; isdataat:1500,relative; content:!"|0A|"; within:1500; metadata:service ftp; reference:url,www.exploit-db.com/exploits/42011/; classtype:attempted-user; sid:45591; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-FTP Computer Associates eTrust Secure Content Manager LIST stack overflow attempt"; flow:to_server,established; content:"d"; content:"|20 20 20 20 20 20 20 20 20|4096|20|"; within:14; distance:28; content:!"|0D 0A|"; within:255; distance:13; metadata:policy max-detect-ips drop, service ftp; reference:cve,2008-2541; classtype:attempted-user; sid:45828; rev:1;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORTS (msg:"PROTOCOL-FTP GP-Pro EX HMI WinGP Runtime Arbitrary File Disclosure attempt"; flow:to_server,established; content:"DRRD"; fast_pattern; content:"NAND"; distance:0; content:".."; distance:0; metadata:service ftp; reference:url,www.profaceamerica.com; classtype:attempted-user; sid:49426; rev:1;)