Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: snort ftp preprocessor alerts on port 2100 ??

From: Steven Sturges <steve.sturges () sourcefire com>
Date: Wed, 09 Jul 2008 09:03:38 -0400
Hi Russell--

This certainly seems strange, given the configuration you
provide below... Any chance you can provide a pcap from
the packet that generated the alert?

I'm wondering if there is a presentation issue in the
post-processing software you are using.

Cheers.
-steve

Russell Fulton wrote:

HI

I'm seeing ftp preprocessor alerts from traffic on port 2100 and I  
can't see why.

 From snort conf:

preprocessor ftp_telnet_protocol: ftp server default \
   ports { 21 } \
   def_max_param_len 100 \
   ftp_cmds { USER PASS ACCT CWD CDUP SMNT \
     QUIT REIN PORT PASV TYPE STRU MODE RETR STOR STOU APPE ALLO REST \
     RNFR RNTO ABOR DELE RMD MKD PWD LIST NLST SITE SYST STAT HELP  
NOOP } \
   ftp_cmds { AUTH ADAT PROT PBSZ CONF ENC } \
   ftp_cmds { FEAT OPTS } \
   ftp_cmds { MDTM REST SIZE MLST MLSD EPSV } \
   alt_max_param_len 0 { CDUP QUIT REIN PASV STOU ABOR PWD SYST NOOP } \
   cmd_validity MODE < char ASBCZ > \
   cmd_validity STRU < char FRP > \
   cmd_validity ALLO < int [ char R int ] > \
   cmd_validity TYPE < { char AE [ char NTC ] | char I | char L  
[ number ] } > \
   cmd_validity PORT < host_port >

Which clearly says port 21.

Yet I see:

META  
SID   CID     TimeStamp       Signature       Sig ID
1     5823276 2008-07-08 13:53:23     ftp_pp: Invalid FTP command     2
Sensor Hostname       Sensor Interface
monitor-itss.insec.auckland.ac.nz     ITSS sector switch
IP    
Source Address        Dest Address    Ver     Hdr Len TOS     length  ID      flags   offset  TTL      
chksum
130.216.138.211       130.216.123.59  4       5       0       172     16279   2       0       127     45045
Resolved Source       Resolved Dest
macula.opt.auckland.ac.nz     tamexam8.opt.auckland.ac.nz
TCP   
Source Port   Dest Port       Seq     Ack     Offset  Reserved        Flags   Window  Checksum         
Urgent Ptr
1158  2100    2491263236      988172587       5       0       24      65211   58408   0
Options
None
Flags
RB 1  RB 0    URG     ACK     PSH     RST     SYN     FIN


-------------------------------------------------------------------------
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: