File: proftpd.rules

package info (click to toggle)
sagan-rules 1:20170725-1
  • links: PTS
  • area: main
  • in suites: buster, sid
  • size: 3,460 kB
  • sloc: makefile: 5
file content (51 lines) | stat: -rw-r--r-- 8,827 bytes parent folder | download | duplicates (2)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
# Sagan proftpd.rules
# Copyright (c) 2009-2017, Quadrant Information Security <www.quadrantsec.com>
# All rights reserved.
#
# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list
#
#*************************************************************
#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
#  following conditions are met:
#
#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
#    disclaimer.
#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
#    following disclaimer in the documentation and/or other materials provided with the distribution.
#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
#    from this software without specific prior written permission.
#
#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#*************************************************************

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[PROFTPD] Session opened"; content: "FTP session opened"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: not-suspicious; program: proftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000078; sid: 5000078; rev:3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[PROFTPD] Session closed"; content: "FTP session closed"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: not-suspicious; program: proftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000079; sid: 5000079; rev:3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[PROFTPD] Attempt to login as a non-existent user [Brute Force] [5/5]"; content: "no such user"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: unsuccessful-user; parse_src_ip: 3; program: proftpd; after: track by_src, count 5, seconds 300; parse_ip_src: 1; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; xbits: set,brute_force,21600; reference: url,wiki.quadrantsec.com/bin/view/Main/5000080; sid: 5000080; rev:7;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[PROFTPD] Login failed accessing the FTP server [Brute Force] [5/5]"; pcre: "/Incorrect password|Login failed/i"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: unsuccessful-user; parse_src_ip: 3; program: proftpd; after: track by_src, count 5, seconds 300; parse_ip_src: 1; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; xbits: set,brute_force,21600; reference: url,wiki.quadrantsec.com/bin/view/Main/5000081; sid: 5000081; rev:8;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[PROFTPD] Authentication success"; content: "Login successful"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: successful-user; program: proftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000082; sid: 5000082; rev:3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[PROFTPD] Connection refused by TCP Wrappers"; content: "refused connect from"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: tcp-connection; program: proftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000083; sid: 5000083; rev:3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[PROFTPD] Small PassivePorts range in config file"; content: "unable to find open port in PassivePorts range"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: program-error; program: proftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000084; sid: 5000084; rev:3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[PROFTPD] Attempt to bypass firewall - cannot keep state of FTP traffic"; content: "Refused PORT"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: suspicious-traffic; program: proftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000085; sid: 5000085; rev:3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[PROFTPD] Maximum login attempts reached [DoS?]"; content: "Maximum login attempts"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: successful-dos; program: proftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000086; sid: 5000086; rev:3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[PROFTPD] Host name or host address mismatch"; pcre: "/name mismatch|address mismatch/i"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: suspicious-traffic; program: proftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000087; sid: 5000087; rev:3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[PROFTPD] Reverse lookup failure"; content: "can't verify hostname"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: suspicious-traffic; program: proftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000088; sid: 5000088; rev:4;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[PROFTPD] Remote host connected to FTP server"; content: "connect from"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: not-suspicious; program: proftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000089; sid: 5000089; rev:3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[PROFTPD] Remote host disconnected due to inactivity"; content: "FTP no transfer timeout, disconnected"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: not-suspicious; program: proftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000090; sid: 5000090; rev:3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[PROFTPD] Remote host disconnected due to login time out" ;content: "FTP login timed out"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: not-suspicious; program: proftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000091; sid: 5000091; rev:3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[PROFTPD] Remote host disconnected due to time out" ;content: "FTP session idle timeout"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: not-suspicious; program: proftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000374; sid: 5000374; rev:3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[PROFTPD] Data transfer stall timeout" ;content: "Data transfer stall timeout"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: not-suspicious; program: proftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000092; sid: 5000092; rev:3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[PROFTPD] terminated [crash]" ; content: "ProFTPD terminating"; content: "signal 11"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: program-error; program: proftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000093; sid: 5000093; rev:3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[PROFTPD] Unable to bind to address" ; content: "listen"; content: "failed in";  default_proto: tcp; default_dst_port: $FTP_PORT; classtype: program-error; program: proftpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000094; sid:5000094; rev:3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PROFTPD] User logged into an disabled account"; content: "Login successful"; pcre: "/^apache$|^mysql$|^www$|^nobody$|^nogroup$|^portmap$|^named$|^rpc$|^mail$|^ftp$|^shutdown$|^halt$|^daemon$|^bin$|^postfix$|^shell$|^info$|^guest$|^psql$|^user$|^users$|^console$|^uucp$|^lp$|^sync$|^sshd$|^cdrom$|^ossec$|^sagan$/"; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: successful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5000413; program: sshd; sid: 5000413; rev:3;)

# Rule by W. E Restrepo (werestrepo@quadrantsec.com) - 08/30/2016

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[PROFTP] FTPCHK3 file accessed by user"; content: "ftpchk3"; pcre: "/CHMOD|DELE|STOR/i";  parse_src_ip: 3; program: proftpd; default_proto: tcp; default_dst_port: $FTP_PORT; classtype: suspicious-traffic; reference: url,blog.ftptoday.com/ftp-password-stealing-malware; reference: url,wiki.quadrantsec.com/bin/view/Main/5002951; sid:5002951; rev: 3;)