Rule: -- Rule: -- Sid: 354 -- Summary: This event is generated when an attempt is made to login anonymously into an ftp server using a suspicious password (-iss@iss) -- Impact: Possible unauthorized access. Information gathering. -- Detailed Information: ISS Scanner is a security scanner which checks for common vulnerabilities. When it detects an open ftp server, it tries to log in anonymously using the password '-iss@iss' -- Affected Systems: Machines running anonymous ftp servers. -- Attack Scenarios: An attacker scans a range of IPs using the ISS Scanner, checking for known vulnerabilities. If the scanner encounters a ftp server, it tries to log in . -- Ease of Attack: Simple. -- False Positives: A user may be using that same password for a legitimate anonymous login. -- False Negatives: None known. -- Corrective Action: Disable anonymous FTP access. -- Contributors: Original Rule Writer Max Vision <vision@whitehats.com> Sourcefire Research Team Nigel Houghton <nigel.houghton@sourcefire.com> Snort documentation contributed by Chaos <c@aufbix.org> -- Additional References: Arachnids: http://www.whitehats.com/info/IDS331 --