APP-DETECT -- Snort attempted to take unique patterns of traffic and match them to a known application pattern, to confirm whether traffic should be allowed or stopped. (For example, a Get request is usually an HTTP/web application exchange, perhaps Facebook Messenger or other instant messenger, etc.).
APP-DETECT FTP 530 Login failed response
This event is generated when network traffic that indicates a failed FTP login attempt has occurred. Impact: Possible policy violation. Details: This event indicates that indicates a failed FTP login attempt has occurred. Ease of Attack: Simple.
This rule fires when a failed FTP login response message with a code of 530 is detected.
Attacks/Scans seen in the wild
Known false positives, with the described conditions
This will alert on people not correctly entering their passwords, however, if the alerts show a large number of failed attempts from a certain IP it could indicate an attempt at brute forcing FTP passwords.
Cisco Talos
No rule groups
None
No information provided
None
Tactic: Credential Access
Technique: Brute Force
For reference, see the MITRE ATT&CK vulnerability types here: https://attack.mitre.org
©2025 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
