ET SCAN Multiple FTP Root Login Attempts from Single Source – Possible Brute Force Attempt

This alert is triggered when detecting multiple FTP root login attempts from a single source, suggesting a possible brute force attack. FTP (File Transfer Protocol) is a standard internet protocol used to transfer files between a client and a server over a network. The rule checks for the use of the username "root" in login attempts, which is the superuser account in many systems. This alert may be triggered when an adversary is attempting to gain unauthorized access to the FTP server by trying to brute-force the root account.

Categories:

ID Number

4000479

Signature

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET SCAN Multiple FTP Root Login Attempts from Single Source - Possible Brute Force Attempt"; flow:established,to_server; content:"USER "; nocase; depth:5; content:"root"; within:15; nocase; threshold: type threshold, track by_src, count 5, seconds 60; reference:url,doc.emergingthreats.net/2010642; classtype:attempted-recon; sid:4000479; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

MITRE ATT&CK Technique

-

Severity

Medium

Recommendations/Investigative actions

It is recommended to limit Root Login Attempts to your FTP service. If possible, block all FTP Root Login Attempts from external networks, or enable access from specific external devices only.