Rule:

--
Sid:
359

--
Summary:
This event is generated when an attempt is made to login anonymously into an ftp server using a suspicious password (-satan)

--
Impact:
Possible unauthorized access. Information gathering.

--
Detailed Information:
Satan is an open-source security scanner,a predecessor to Saint, which checks for common vulnerabilities. When it detects an open ftp server, it tries to log in anonymously using the password '-satan'

--
Affected Systems:
Machines running anonymous ftp servers.

--
Attack Scenarios:
An attacker scans a range of IPs using the Satan Scanner, checking for known vulnerabilities. If the scanner encounters a ftp server, it tries to log in .

--
Ease of Attack:
Simple.

--
False Positives:
A user may be using that same password for a legitimate anonymous login.

--
False Negatives:
None known.

--
Corrective Action:
Disable anonymous FTP access.

--
Contributors:
Original Rule Writer Max Vision <vision@whitehats.com>
Sourcefire Vulnerability Research Team
Nigel Houghton <nigel.houghton@sourcefire.com>
Snort documentation contributed by Chaos <c@aufbix.org>

-- 
Additional References:


--
