Future Directions? Support for multi-channeled protocols?

[Jason Haar <Jason.Haar () trimble co nz>]

Hi there

While creating some local rules, I realised I was having issues with FTP.
It's a bi-channel protocol (FTP-control and FTP-data), and snort can't
consider them to be one entity - like a PIX or iptables can.

Is that something that can be looked at as an option for the stream
preprocessors (or other)? Being able to say something like:

pass tcp host any -> any FTP (msg:"this is allowed";)

where it encompasses both the FTP control channel, plus the DATA channel
irrespective of it being PASV or non-PASV would be most useful. Doing this
with explicit rules makes you end up doing stupid things like (remember
ipfwadm/non-CBAC IOS anyone?)

pass tcp host any -> any FTP (msg:"FTP-control - this is allowed";)
pass tcp host 1023: -> any 20 (msg:"FTP-nonPASV - this is allowed";)
pass tcp host 1023: -> any :1023 (msg:"FTP-PASV this is allowed";)

- that last one is a bit of a killer...

Same goes for IRC, H323, etc.

Actually, as both Linux netfilter and Snort are GPL - a lot of code could be
stolen straight out of netfilter ;-)

Just an idea...

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1


-------------------------------------------------------
This SF.net email is sponsored by: SlickEdit Inc. Develop an edge.
The most comprehensive and flexible code editor you can use.
Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial.
www.slickedit.com/sourceforge
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users