Snort mailing list archives
Re: ftp preprocessor problem
From: Todd Wease <twease () sourcefire com>
Date: Fri, 29 Feb 2008 14:11:59 -0500
The chk_str_fmt looks for 2 or more '%' in the command arguments which implies a string format attack. If you don't care about this sort of attack, I suggest you remove the chk_str_fmt lines in your ftptelnet configuration. serdar uzun wrote:
No, all commands. I put that line because I had got many alerts before I wrote that line. If I remove this line;chk_str_fmt { LIST RETR STOR STOU APPE ALLO REST RNFR RNTO DELE RMD MKD } \then no alerts seen. But I think this is same as not working with snort. Should be a different solution. Thanks.. Todd Wease <twease () sourcefire com> wrote: So you're only getting alerts relating to the LIST command? I would recommend removing the line: cmd_validity LIST < [ string ] > This means nothing or anything after the LIST command and really has no effect. Looks like a potential bug in the case where there is no argument to the command and the validity check only has optional parameters. Thanks, Todd serdar uzun wrote:Hi, preprocessor ftp_telnet: \ global \ encrypted_traffic yes \ check_encrypted \ inspection_type stateful preprocessor ftp_telnet_protocol: \ telnet \ ayt_attack_thresh 20 \ normalize ports { 23 } \ detect_anomalies preprocessor ftp_telnet_protocol: \ ftp server default \ def_max_param_len 100 \ ports { 21 2100 } \ ftp_cmds { USER PASS ACCT CWD SDUP SMNT QUIT REIN PORT PASV TYPE STRU MODE } \ ftp_cmds { RETR STOR STOU APPE ALLO REST RNFR RNTO ABOR DELE RMD MKD PWD } \ ftp_cmds { LIST NLST SITE SYST STAT HELP NOOP } \ ftp_cmds { AUTH ADAT PROT PBSZ CONF ENC } \ ftp_cmds { FEAT OPTS CEL CMD MACB } \ ftp_cmds { MDTM REST SIZE MLST MLSD } \ ftp_cmds { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \ alt_max_param_len 0 { CDUP FEAT QUIT REIN PASV STOU ABOR PWD SYST NOOP } \ alt_max_param_len 100 { OPTS LIST MDTM CEL XCWD SITE USER PASS REST DELE RMD TEST STAT MACB EPSV CLNT LPRT } \ alt_max_param_len 200 { XMKD NLST ALLO STOU APPE RETR STOR CMD RNFR HELP } \ alt_max_param_len 256 { RNTO CWD } \ alt_max_param_len 400 { PORT } \ alt_max_param_len 512 { SIZE } \ chk_str_fmt { USER PASS ACCT CWD SDUP SMNT PORT TYPE STRU MODE } \ chk_str_fmt { LIST RETR STOR STOU APPE ALLO REST RNFR RNTO DELE RMD MKD } \ chk_str_fmt { NLST SITE STAT HELP } \ chk_str_fmt { AUTH ADAT PROT PBSZ CONF ENC } \ chk_str_fmt { OPTS CEL CMD } \ chk_str_fmt { MDTM REST SIZE MLST MLSD } \ chk_str_fmt { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \ cmd_validity MODE < char ASBCZ > \ cmd_validity STRU < char FRP > \ cmd_validity LIST < [ string ] > \ cmd_validity ALLO < int [ char R int ] > \ cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } > \ cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \ cmd_validity PORT < host_port > preprocessor ftp_telnet_protocol: \ ftp client default \ max_resp_len 200 \ bounce yes \ telnet_cmds no (2) ftp_pp: FTP malformed parameter in the packet portion I see only LIST command. (exactly this: LIST.. ) Todd Wease wrote: Hi Serdar, (1) Can you post your entire ftptelnet configuration? (2) Can you post the exact alerts you are seeing? Thanks, Todd serdar uzun wrote:Hi, Snort alerts all ftp commands such as LIST, OPTS. The config of the ftp preprocessor is ftp_cmds { LIST NLST SITE SYST STAT HELP NOOP } \ chk_str_fmt { LIST RETR STOR STOU APPE ALLO REST RNFR RNTO DELE RMD MKD } \ cmd_validity LIST < [ string ] > \ what may be the reason? my snort version is snort-2.8.0.1. --------------------------------- Looking for last minute shopping deals? Find them fast with Yahoo! Search. ------------------------------------------------------------------------ ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ ------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users--------------------------------- Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now.--------------------------------- Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now.
------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- ftp preprocessor problem serdar uzun (Feb 28)
- <Possible follow-ups>
- Re: ftp preprocessor problem Todd Wease (Feb 29)
- Re: ftp preprocessor problem Todd Wease (Feb 29)