PROTOCOL-FTP -- Snort alerted on suspicious use of the FTP protocol. FTP is generally unsafe, as it sends all data in plain text, including passwords. Stolen data may also aggregate via FTP, and malware-infected items are often made available via FTP sharing sites. Malicious FTP attempts are common, such as directory traversal, overflow attempts, FTP probing (for instance, from the SATAN tool), etc.
PROTOCOL-FTP satan scan
This event is generated when an attempt is made to login anonymously into an ftp server using a suspicious password (-satan) Impact: Possible unauthorized access. Information gathering. Details: Satan is an open-source security scanner,a predecessor to Saint, which checks for common vulnerabilities. When it detects an open ftp server, it tries to log in anonymously using the password '-satan' Ease of Attack: Simple.
No information provided
No public information
Known false positives, with the described conditions
A user may be using that same password for a legitimate anonymous login.
Original Rule Writer Max Vision <vision@whitehats.com> Cisco Talos Nigel Houghton Snort documentation contributed by Chaos <c@aufbix.org>
No rule groups
None
No information provided
None