# (C) Copyright 2001,2002, Martin Roesch, Brian Caswell, et al.
#    All rights reserved.
# $Id: ftp.rules,v 1.31.2.2 2003/02/07 22:04:50 cazz Exp $
#----------
# FTP RULES
#----------


# protocol verification
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CEL overflow attempt";flow:to_server,established; content:"CEL "; nocase; content:!"|0a|"; within:100; reference:bugtraq,679; reference:cve,CVE-1999-0789; reference:arachnids,257; classtype:attempted-admin; sid:337; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD overflow attempt"; flow:to_server,established; content:"CWD "; nocase; content:!"|0a|"; within:100; reference:cve,CAN-2000-1035; reference:cve,CAN-2000-1194; reference:cve,CAN-2002-0126; classtype:attempted-admin; sid:1919; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CMD overflow attempt"; flow:to_server,established; content:"CMD "; nocase; content:!"|0a|"; within:100; classtype:attempted-admin; sid:1621; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP STAT overflow attempt"; flow:to_server,established; content:"STAT "; nocase; content:!"|0a|"; within:100; reference:url,labs.defcom.com/adv/2001/def-2001-31.txt; classtype:attempted-admin; sid:1379; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE CHOWN overflow attempt"; flow:to_server,established; content:"SITE "; nocase; content:" CHOWN "; nocase; content:!"|0a|"; within:100; reference:cve,CAN-2001-0065; classtype:attempted-admin; sid:1562; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE NEWER overflow attempt"; flow:to_server,established; content:"SITE "; nocase; content:" NEWER "; nocase; content:!"|0a|"; within:100; reference:cve,CVE-1999-0800; classtype:attempted-admin; sid:1920; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE CPWD overflow attempt"; flow:established,to_server; content:"SITE "; nocase; content:" CPWD "; nocase; content:!"|0a|"; within:100; reference:bugtraq,5427; reference:cve,CAN-2002-0826; classtype:misc-attack; sid:1888; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE EXEC format string attempt"; flow:to_server,established; content:"SITE"; nocase; content:"EXEC "; nocase; distance:0; content:"%"; distance:1; content:"%"; distance:1; classtype:bad-unknown; sid:1971; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE overflow attempt"; flow:to_server,established; content:"SITE "; nocase; content:!"|0a|"; within:100; reference:cve,CAN-2001-0755; reference:cve,CAN-2001-0770; reference:cve,CVE-1999-0838; classtype:attempted-admin; sid:1529; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP USER overflow attempt"; flow:to_server,established,no_stream;  content:"USER "; nocase; content:!"|0a|"; within:100; reference:bugtraq,4638; reference:cve,CAN-2000-0479; reference:cve,CAN-2000-0656; reference:cve,CAN-2000-1035; reference:cve,CAN-2000-1194; reference:cve,CAN-2001-0794; reference:cve,CAN-2001-0826; reference:cve,CAN-2002-0126; reference:cve,CVE-2000-0943; classtype:attempted-admin; sid:1734; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP PASS overflow attempt"; flow:to_server,established,no_stream;  content:"PASS "; nocase; content:!"|0a|"; within:100; reference:cve,CAN-2000-1035; reference:cve,CAN-2002-0126; classtype:attempted-admin; sid:1972; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP RMDIR overflow attempt"; flow:to_server,established;  content:"RMDIR "; nocase; content:!"|0a|"; within:100; classtype:attempted-admin; sid:1942; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP MKD overflow attempt";flow:to_server,established; content:"MKD "; nocase; content:!"|0a|"; within:100; reference:cve,CAN-1999-0911; reference:bugtraq,612; classtype:attempted-admin; sid:1973; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP REST overflow attempt";flow:to_server,established; content:"REST "; nocase; content:!"|0a|"; within:100; reference:cve,CAN-2001-0826; classtype:attempted-admin; sid:1974; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP DELE overflow attempt";flow:to_server,established; content:"DELE "; nocase; content:!"|0a|"; within:100; reference:cve,CAN-2001-0826; classtype:attempted-admin; sid:1975; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP RMD overflow attempt"; flow:to_server,established;  content:"RMD "; nocase; content:!"|0a|"; within:100;reference:cve,CAN-2001-0826; classtype:attempted-admin; sid:1976; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP invalid MODE"; flow:to_server,established; content:"MODE "; nocase; content:!" B"; nocase; content:!" A"; nocase; content:!" S"; nocase; content:!" C"; nocase; classtype:protocol-command-decode; sid:1623; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP large PWD command"; flow:to_server,established; content:"PWD"; nocase; dsize:10; classtype:protocol-command-decode; sid:1624; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP large SYST command"; flow:to_server,established; content:"SYST"; nocase; dsize:10; classtype:protocol-command-decode; sid:1625; rev:3;)





# bad ftp commands
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE ZIPCHK attempt"; flow:to_server,established; content:"SITE "; nocase; content:" ZIPCHK "; nocase; content:!"|0a|"; within:100; reference:cve,CVE-2000-0040; classtype:attempted-admin; sid:1921; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE NEWER attempt"; flow:to_server,established; content:"SITE "; nocase; content:" NEWER "; nocase; reference:cve,CVE-1999-0880; reference:nessus,10319; classtype:attempted-dos; sid:1864; rev:2;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP site exec"; flow:to_server,established; content:"SITE "; nocase; content:"EXEC "; distance:0; nocase; reference:bugtraq,2241; reference:arachnids,317; classtype:bad-unknown; sid:361;  rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT STAT * dos attempt"; flow:to_server,established; content:"STAT "; nocase; content:"*"; reference:bugtraq,4482; classtype:attempted-dos; sid:1777; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT STAT ? dos attempt"; flow:to_server,established; content:"STAT "; nocase; content:"?"; reference:bugtraq,4482; classtype:attempted-dos; sid:1778; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP tar parameters"; flow:to_server,established; content:" --use-compress-program" ; nocase; reference:bugtraq,2240; reference:arachnids,134; reference:cve,CVE-1999-0202; classtype:bad-unknown; sid:362; rev:7;)

# bad directories
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD ~root attempt"; content:"CWD "; content:" ~root"; nocase; flow:to_server,established; reference:cve,CVE-1999-0082; reference:arachnids,318; classtype:bad-unknown; sid:336;  rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD ..."; flow:to_server,established; content:"CWD "; content:" ..."; classtype:bad-unknown; sid:1229;  rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD ~<NEWLINE> attempt"; content:"CWD "; content:" ~|0A|"; flow:to_server,established; reference:cve,CAN-2001-0421; reference:bugtraq,2601; classtype:denial-of-service; sid:1672;  rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD ~<CR><NEWLINE> attempt"; content:"CWD "; content:" ~|0D0A|"; flow:to_server,established; reference:cve,CAN-2001-0421; reference:bugtraq,2601; classtype:denial-of-service; sid:1728;  rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD .... attempt"; content:"CWD "; content:" ...."; flow:to_server,established; reference:bugtraq,4884; classtype:denial-of-service; sid:1779; rev:1;)



# vulnerabilities against specific implementations of ftp
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP serv-u directory transversal"; flow:to_server,established; content: ".%20."; nocase; reference:bugtraq,2025; reference:cve,CVE-2001-0054; classtype:bad-unknown; sid:360;  rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP wu-ftp bad file completion attempt ["; flow:to_server,established; content:"~"; content:"["; distance:1;reference:cve,CVE-2001-0550; reference:cve,CAN-2001-0886; reference:bugtraq,3581; classtype:misc-attack; sid:1377; rev:10;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP wu-ftp bad file completion attempt {"; flow:to_server,established; content:"~"; content:"{"; distance:1; reference:cve,CVE-2001-0550; reference:cve,CAN-2001-0886; reference:bugtraq,3581; classtype:misc-attack; sid:1378; rev:10;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP format string attempt"; flow:to_server,established; content:"%p"; nocase; classtype:attempted-admin; sid:1530; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP RNFR ././ attempt"; flow:to_server,established; content:"RNFR "; nocase; content:" ././"; nocase; classtype:misc-attack; sid:1622; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP command overflow attempt"; flow:to_server,established,no_stream; dsize:>100; reference:bugtraq,4638; classtype:protocol-command-decode; sid:1748; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP LIST directory traversal attempt"; content:"LIST"; content:".."; distance:1; content:".."; distance:1; reference:cve,CVE-2001-0680; reference:bugtraq,2618; reference:nessus,11112; classtype:protocol-command-decode; sid:1992; rev:1;)


# BAD FILES
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP .forward"; content: ".forward"; flow:to_server,established; reference:arachnids,319; classtype:suspicious-filename-detect; sid:334;  rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP .rhosts"; flow:to_server,established; content:".rhosts"; reference:arachnids,328; classtype:suspicious-filename-detect; sid:335;  rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP authorized_keys"; flow:to_server,established; content:"authorized_keys"; classtype:suspicious-filename-detect; sid:1927; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP passwd retreval attempt"; flow:to_server,established; content:"RETR"; nocase; content:"passwd"; reference:arachnids,213; classtype:suspicious-filename-detect; sid:356;  rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP shadow retreval attempt"; flow:to_server,established; content:"RETR"; nocase; content:"shadow"; classtype:suspicious-filename-detect; sid:1928; rev:2;)

# suspicious login attempts
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP ADMw0rm ftp login attempt"; flow:to_server,established; content:"USER w0rm|0D0A|"; reference:arachnids,01; sid:144; classtype:suspicious-login;  rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP adm scan"; flow:to_server,established; content:"PASS ddd@|0a|"; reference:arachnids,332; classtype:suspicious-login; sid:353;  rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP iss scan"; flow:to_server,established; content:"pass -iss@iss"; reference:arachnids,331; classtype:suspicious-login; sid:354;  rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP pass wh00t"; flow:to_server,established; content:"pass wh00t"; nocase; reference:arachnids,324; classtype:suspicious-login; sid:355;  rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP piss scan"; flow:to_server,established; content:"pass -cklaus"; classtype:suspicious-login; sid:357;  rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP saint scan"; flow:to_server,established; content:"pass -saint"; reference:arachnids,330; classtype:suspicious-login; sid:358;  rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP satan scan"; flow:to_server,established; content:"pass -satan"; reference:arachnids,329; classtype:suspicious-login; sid:359;  rev:4;)