Snort mailing list archives

Re: Bug in src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c


From: Reinoud Koornstra <sockstat () hotmail com>
Date: Thu, 12 Sep 2013 16:46:24 +0000

Hi,

 

The code looked correct to me too, but didn't work the way i hoped for.

What I was trying to achieve is to get a stream reassembly for ftp like it's done for http and other protocol.

Every 4 al more full mtu packets I saw that snort reassembled some packet content together to a big packet of 17k bytes.

It doesn't do this for ftp, stream reassembly doesn't seem to work there.

I thought it was due to my inability to get identity open data channel going as everytime when snort starts it said it 
was not active, even though i had

ignore_data_chan no in my ftp config as you can see below.

With this argument, identify open data channel still wouldn't be on and i instrumented the code to see.

Even with this argument if (!strcasecmp("yes", pcToken)) doesn't trigger and doesn't match.

In the current code with ignore_data_chan is set to no, ServerConf->data_chan is set to 0.

 

Also, is stream reassembly happening with ftp-data packets like with http etc?

I never see packets of 17k being formed and inspected by snort like it does with http.

Thanks,

 

Reinoud.

 

 

# FTP / Telnet normalization and anomaly detection.  For more information, see README.ftptelnet
preprocessor ftp_telnet: global inspection_type stateful encrypted_traffic no check_encrypted
preprocessor ftp_telnet_protocol: telnet \
    ayt_attack_thresh 20 \
    normalize ports { 23 } \
    detect_anomalies
preprocessor ftp_telnet_protocol: ftp server default \
    def_max_param_len 100 \
    ports { 21 2100 3535 } \
    telnet_cmds yes \
    ignore_telnet_erase_cmds yes \
    ignore_data_chan no \
    ftp_cmds { ABOR ACCT ADAT ALLO APPE AUTH CCC CDUP } \
    ftp_cmds { CEL CLNT CMD CONF CWD DELE ENC EPRT } \
    ftp_cmds { EPSV ESTA ESTP FEAT HELP LANG LIST LPRT } \
    ftp_cmds { LPSV MACB MAIL M DTM MIC MKD MLSD MLST } \
    ftp_cmds { MODE NLST NOOP OPTS PASS PASV PBSZ PORT } \
    ftp_cmds { PROT PWD QUIT REIN REST RETR RMD RNFR } \
    ftp_cmds { RNTO SDUP SITE SIZE SMNT STAT STOR STOU } \
    ftp_cmds { STRU SYST TEST TYPE USER XCUP XCRC XCWD } \
    ftp_cmds { XMAS XMD5 XMKD XPWD XRCP XRMD XRSQ XSEM } \
    ftp_cmds { XSEN XSHA1 XSHA256 } \
    alt_max_param_len 0 { ABOR CCC CDUP ESTA FEAT LPSV NOOP PASV PWD QUIT REIN STOU SYST XCUP XPWD } \
    alt_max_param_len 200 { ALLO APPE CMD HELP NLST RETR RNFR STOR STOU XMKD } \
    alt_max_param_len 256 { CWD RNTO } \
    alt_max_param_len 400 { PORT } \
    alt_max_param_len 512 { SIZE } \
    chk_str_fmt { ACCT ADAT ALLO APPE AUTH CEL CLNT CMD } \
    chk_str_fmt { CONF CWD DELE ENC EPRT EPSV ESTP HELP } \
    chk_str_fmt { LANG LIST LPRT MACB MAIL MDTM MIC MKD } \
    chk_str_fmt { MLSD MLST MODE NLST OPTS PASS PBSZ PORT } \
    chk_str_fmt { PROT REST RETR RMD RNFR RNTO SDUP SITE } \
    chk_str_fmt { SIZE SMNT STAT STOR STRU TEST TYPE USER } \
    chk_str_fmt { XCRC XCWD XMAS XMD5 XMKD XRCP XRMD XRSQ } \
    chk_str_fmt { XSEM XSEN XSHA1 XSHA256 } \
    cmd_validity ALLO < int [ char R int ] > \
    cmd_validity EPSV < [ { char 12 | char A char L char L } ] > \
    cmd_validity MACB < string > \
    cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
    cmd_validity MODE < char ASBCZ > \
    cmd_validity PORT < host_port > \
    cmd_validity PROT < char CSEP > \
    cmd_validity STRU < char FRPO [ string ] > \
    cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } >
preprocessor ftp_telnet_protocol: ftp client default \

 



Date: Thu, 12 Sep 2013 11:09:33 -0400
Subject: Re: [Snort-devel] Bug in src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c
From: rcombs () sourcefire com
To: sockstat () hotmail com
CC: snort-devel () lists sourceforge net





Hi.  That code looks correct w/o patching.  strncasecmp(a,b) returns zero if a matches b.

I'm not clear on the issue that you are having.  What is your ftp configuration and what are you trying to do?


Let me know and we'll try to get it figured out.


Thanks
Russ





On Thu, Sep 12, 2013 at 3:30 AM, Reinoud Koornstra <sockstat () hotmail com> wrote:



Hi Everyone,
 
I've been struggeling with trying to get trying to active this option Identify open data channels.
Even with the parameter ignore_data_chan no, it wouldn't activate.
After some instrumentation I found that we were turning it off because of a comparison that didn't go right.
Even with ignore_data_chan set to no, we'd still come in the else if which wasn't correct.
Here's a fix to the problem:
 
---- src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c.orig 2013-09-12 00:17:29.301433818 -0700
+++ src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c 2013-09-12 00:21:54.441437865 -0700
@@ -1403,11 +1403,11 @@
                                          confOption);
         return FTPP_FATAL_ERR;
     }
-    if (!strcasecmp("yes", pcToken))
+    if (strncmp("yes", pcToken, 3) != 0)
     {
         ServerConf->data_chan = 1;
     }
-    else if (!strcasecmp("no", pcToken))
+    else if (strncmp("no", pcToken, 2) != 0)
     {
         if (ServerConf->data_chan == 1)
         {
 
Thanks,
 
Reinoud.

------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. Consolidate legacy IT systems to a single system of record for IT
2. Standardize and globalize service processes across IT
3. Implement zero-touch automation to replace manual, redundant tasks
http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

                                          
------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. Consolidate legacy IT systems to a single system of record for IT
2. Standardize and globalize service processes across IT
3. Implement zero-touch automation to replace manual, redundant tasks
http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread: