Re: Future Directions? Support for multi-channeled protocols?

[Martin Roesch <roesch () sourcefire com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Jason,

Just tracking the ftp session would take a preprocessor, if that was 
done then there could be a simple lookup table that marks a packet 
stream as part of a FTP data session, then you could just have a simple 
detection plugin that can check the status of the flags and make 
decisions (pass, alert, log, etc) based on them.

     -Marty


On Thursday, February 20, 2003, at 02:49  PM, Jason Haar wrote:

> Hi there
>
> While creating some local rules, I realised I was having issues with 
> FTP.
> It's a bi-channel protocol (FTP-control and FTP-data), and snort can't
> consider them to be one entity - like a PIX or iptables can.
>
> Is that something that can be looked at as an option for the stream
> preprocessors (or other)? Being able to say something like:
>
> pass tcp host any -> any FTP (msg:"this is allowed";)
>
> where it encompasses both the FTP control channel, plus the DATA 
> channel
> irrespective of it being PASV or non-PASV would be most useful. Doing 
> this
> with explicit rules makes you end up doing stupid things like (remember
> ipfwadm/non-CBAC IOS anyone?)
>
> pass tcp host any -> any FTP (msg:"FTP-control - this is allowed";)
> pass tcp host 1023: -> any 20 (msg:"FTP-nonPASV - this is allowed";)
> pass tcp host 1023: -> any :1023 (msg:"FTP-PASV this is allowed";)
>
> - that last one is a bit of a killer...
>
> Same goes for IRC, H323, etc.
>
> Actually, as both Linux netfilter and Snort are GPL - a lot of code 
> could be
> stolen straight out of netfilter ;-)
>
> Just an idea...
>
> --
> Cheers
>
> Jason Haar
> Information Security Manager, Trimble Navigation Ltd.
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: SlickEdit Inc. Develop an edge.
> The most comprehensive and flexible code editor you can use.
> Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial.
> www.slickedit.com/sourceforge
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
- -- 
Martin Roesch - Founder/CTO Sourcefire Inc. - (410) 290-1616
Sourcefire: Enterprise-class Intrusion detection built on Snort
roesch () sourcefire com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (Darwin)

iD8DBQE+XXgYqj0FAQQ3KOARAv6vAJ9+X7sGlc46udva1mRsDWKWVirU+QCfQegI
CUvRybzjOTA1eZOGYBip1Bg=
=RcVZ
-----END PGP SIGNATURE-----



-------------------------------------------------------
This SF.net email is sponsored by: Scholarships for Techies!
Can't afford IT training? All 2003 ictp students receive scholarships.
Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more.
www.ictp.com/training/sourceforge.asp
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users