Re: FTP passive data transfer FP's and flowbits

["Jefferson, Shawn" <Shawn.Jefferson () bcferries com>]

I've never personally seen it, but the FTP preprocessor rules may be able to alert you to zero-day exploits against an 
FTP server, mainly  due to the command length and string settings.

Unfortunately, the settings as given in the snort distro, false positive a lot with my FTP servers (mostly Windows IIS, 
but also Unix/Linux.)  I've had to adjust the settings quite a bit to get the false positive rate down, which may have 
eliminated most of the potential benefit I'm getting from the ftp preprocessor.

I'll have to look at the VRT settings for the ftp preprocessor to see if they are "pre-tuned" any different than the 
snort distro snort.conf.




-----Original Message-----
From: Martin Holste [mailto:mcholste () gmail com] 
Sent: Tuesday, January 11, 2011 10:04 AM
To: Jason Brvenik
Cc: Kungu Panda; snort-users () lists sourceforge net
Subject: Re: [Snort-users] FTP passive data transfer FP's and flowbits

I think Jason's explanation helps a lot.

Joel, here's what you guys can do to improve things:  Firstly, stop issuing preproc alerts from FTP.  If someone could 
tell me when this has actually led to witnessing an attempted break-in, I'd really like to hear it.  You could go a 
step further and focus on getting the data in a buffer available to content match if a rule wants it that way.  I would 
argue that this technique should be done for all the preprocs.
That is, there should be no other generator ID's other than 1.  All alerts should be in the form of a rule which refer 
to specific buffers (ftp_data, ssl_cert, etc.) similar to http_uri.  Now that you guys have your shiny new SO to debug 
buffers, this should be easier to develop.  That will go a long way towards simplifying configurations as well as 
making it crystal-clear what rules can trigger along the lines of the way the text hooks for the SO rules work.

------------------------------------------------------------------------------
Protect Your Site and Customers from Malware Attacks Learn about various malware tactics and how to avoid them. 
Understand malware threats, the impact they can have on your business, and how you can protect your company and 
customers by using code signing.
http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

------------------------------------------------------------------------------
Protect Your Site and Customers from Malware Attacks
Learn about various malware tactics and how to avoid them. Understand 
malware threats, the impact they can have on your business, and how you 
can protect your company and customers by using code signing.
http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users