ET SCAN Multiple FTP Administrator Login Attempts from Single Source - Possible Brute Force Attempt

ET SCAN Multiple FTP Administrator Login Attempts from Single Source – Possible Brute Force Attempt

This alert is triggered when detecting multiple FTP Administrator login attempts from a single source, suggesting a possible brute force attack. FTP (File Transfer Protocol) is a standard internet protocol used to transfer files between a client and a server over a network. The rule checks for the use of the username "Administrator" in login attempts, which is the superuser account in many systems. This alert may be triggered when an adversary is attempting to gain unauthorized access to the FTP server by trying to brute-force the Administrator account.

Categories:

ID Number

4000480

Signature

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET SCAN Multiple FTP Administrator Login Attempts from Single Source - Possible Brute Force Attempt"; flow:established,to_server; content:"USER "; nocase; depth:5; content:"administrator"; within:25; nocase; threshold: type threshold, track by_src, count 5, seconds 60; reference:url,doc.emergingthreats.net/2010643; classtype:attempted-recon; sid:4000480; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

MITRE ATT&CK Technique

Severity

Medium

Recommendations/Investigative actions

It is recommended to limit Administrator Login Attempts to your FTP service. If possible, block all FTP Administrator Login Attempts from external networks, or enable access from specific external devices only.