Re: ftp preprocessor problem

[Todd Wease <twease () sourcefire com>]

The chk_str_fmt looks for 2 or more '%' in the command arguments which 
implies a string format attack.  If you don't care about this sort of 
attack, I suggest you remove the chk_str_fmt lines in your ftptelnet 
configuration.

serdar uzun wrote:
> No, all commands. I put that line because I had got many alerts before I wrote that line.
>
> If I remove this line;
>
> >     chk_str_fmt { LIST RETR STOR STOU APPE ALLO REST RNFR RNTO DELE RMD MKD } \
>
> then no alerts seen. But I think this is same as not working with snort. Should be a different solution.
>
> Thanks..
>
>
> Todd Wease <twease () sourcefire com> wrote: So you're only getting alerts relating to the LIST command?  I would 
> recommend removing the line:
>
> cmd_validity LIST < [ string ] >
>
> This means nothing or anything after the LIST command and really has no 
> effect.
>
> Looks like a potential bug in the case where there is no argument to the 
> command and the validity check only has optional parameters.
>
> Thanks,
> Todd
>
> serdar uzun wrote:
> > Hi,
> >
> > preprocessor ftp_telnet: \
> >     global \
> >     encrypted_traffic yes \
> >     check_encrypted \
> >     inspection_type stateful
> >
> > preprocessor ftp_telnet_protocol: \
> >     telnet \
> >     ayt_attack_thresh 20 \
> >     normalize ports { 23 } \
> >     detect_anomalies
> >
> > preprocessor ftp_telnet_protocol: \
> >     ftp server default \
> >     def_max_param_len 100 \
> >     ports { 21 2100 } \
> >     ftp_cmds { USER PASS ACCT CWD SDUP SMNT QUIT REIN PORT PASV TYPE STRU MODE } \
> >     ftp_cmds { RETR STOR STOU APPE ALLO REST RNFR RNTO ABOR DELE RMD MKD PWD } \
> >     ftp_cmds { LIST NLST SITE SYST STAT HELP NOOP } \
> >     ftp_cmds { AUTH ADAT PROT PBSZ CONF ENC } \
> >     ftp_cmds { FEAT OPTS CEL CMD MACB } \
> >     ftp_cmds { MDTM REST SIZE MLST MLSD } \
> >     ftp_cmds { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \
> >     alt_max_param_len 0 { CDUP FEAT QUIT REIN PASV STOU ABOR PWD SYST NOOP } \
> >     alt_max_param_len 100 { OPTS LIST MDTM CEL XCWD SITE USER PASS REST DELE RMD TEST STAT MACB EPSV CLNT LPRT } \
> >     alt_max_param_len 200 { XMKD NLST ALLO STOU APPE RETR STOR CMD RNFR HELP } \
> >         alt_max_param_len 256 { RNTO CWD } \
> >     alt_max_param_len 400 { PORT } \
> >         alt_max_param_len 512 { SIZE } \
> >     chk_str_fmt { USER PASS ACCT CWD SDUP SMNT PORT TYPE STRU MODE } \
> >     chk_str_fmt { LIST RETR STOR STOU APPE ALLO REST RNFR RNTO DELE RMD MKD } \
> >     chk_str_fmt { NLST SITE STAT HELP } \
> >     chk_str_fmt { AUTH ADAT PROT PBSZ CONF ENC } \
> >     chk_str_fmt { OPTS CEL CMD } \
> >     chk_str_fmt { MDTM REST SIZE MLST MLSD } \
> >     chk_str_fmt { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \
> >     cmd_validity MODE < char ASBCZ > \
> >     cmd_validity STRU < char FRP > \
> >     cmd_validity LIST < [ string ] > \
> >     cmd_validity ALLO < int [ char R int ] > \
> >     cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } > \
> >     cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
> >     cmd_validity PORT < host_port >
> >
> > preprocessor ftp_telnet_protocol: \
> >     ftp client default \
> >     max_resp_len 200 \
> >     bounce yes \
> >     telnet_cmds no
> >
> > (2) ftp_pp: FTP malformed parameter
> >
> > in the packet portion I see only LIST command. (exactly this: LIST..  )
> >
> > Todd Wease  wrote: Hi Serdar,
> >
> > (1) Can you post your entire ftptelnet configuration?
> > (2) Can you post the exact alerts you are seeing?
> >
> > Thanks,
> > Todd
> >
> > serdar uzun wrote:
> > >  Hi,
> > >
> > >  Snort alerts all ftp commands such as LIST, OPTS. The config of the
> > >  ftp
> > >  preprocessor is
> > >
> > >  ftp_cmds { LIST NLST SITE SYST STAT HELP NOOP } \
> > >  chk_str_fmt { LIST RETR STOR STOU APPE ALLO REST RNFR RNTO DELE RMD
> > >  MKD } \
> > >  cmd_validity LIST < [ string ] > \
> > >
> > >  what may be the reason?
> > >
> > >  my snort version is snort-2.8.0.1.
> > >
> > >
> > >
> > >        
> > > ---------------------------------
> > > Looking for last minute shopping deals?  Find them fast with Yahoo! Search.
> > >
> > >
> > > ------------------------------------------------------------------------
> > >
> > > -------------------------------------------------------------------------
> > > This SF.net email is sponsored by: Microsoft
> > > Defy all challenges. Microsoft(R) Visual Studio 2008.
> > > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> > >
> > >
> > > ------------------------------------------------------------------------
> > >
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> >
> >        
> > ---------------------------------
> > Be a better friend, newshound, and know-it-all with Yahoo! Mobile.  Try it now.
>
>
>
>        
> ---------------------------------
> Be a better friend, newshound, and know-it-all with Yahoo! Mobile.  Try it now.


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users