Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-sigs] FP with telnet preprocessor....

from [Justin Heath] Network Security [Permanent Link]
Subject: Re: [Snort-sigs] FP with telnet preprocessor....
Date: Tue, 21 Aug 2007 10:40:14 -0400 
You can add the following to your ftptelnet config to stop alerting and
inspecting this data if it is causing an issue.

encrypted_traffic no

Cheers,
Justin


On 8/20/07, Russell Fulton <r.fulton@auckland.ac.nz> wrote:


 Not exactly a signature issue but this seems to be the best place to
post.

I've just installed 2.7 and turned on the ftp/telnet preprocessor -- I see
that the both ftp and telnet are generating these alerts.  I assume that it
decides stuff is encrypted if it strikes anything that is not in its
protocol model. In the case of the ftp some of the packets were seriously
broken but theses telent alterts, like the one below, are from a range of
systems and all have the same form suggesting that there is something
lacking in the model.

Russell

  META   SID CID TimeStamp Signature Sig ID  6 8815382 2007-08-20 16:18:15 
telnet_pp:
Telnet data encrypted 2 <http://www.snort.org/snort-db/sid.html?sid=2>    
Sensor
Hostname Sensor Interface  monitor-dmzo.isec.auckland.ac.nz dmz sensor
IP   Source Address Dest Address Ver Hdr Len TOS length ID flags offset
TTL chksum  130.216.x.yy 216.155.193.135 4 5 0 89 58040 2 0 126 63296    
Resolved
Source Resolved Dest  abbb.ccc.auckland.ac.nz  cs8.msg.dcn.yahoo.com
TCP   Source Port Dest Port Seq Ack Offset Reserved Flags Window Checksum 
Urgent
Ptr  1262 23 2057010961 1040909924 5 0 24 64816 12746 0    Options  None
Flags
  RB 1 RB 0 URG ACK PSH RST SYN FIN


 X X


    DATA

594D5347000F0000001D

00C600000000764AB787

3130C080393939C08031

39C080C0803937C08031

C0803437C08032C080


             YMSG......

......vJ..

10..999..1

9....97..1

..47..2..


                ------------------------------
  DATA

YMSG............vJ..10..999..19....97..1..47..2..


-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Snort-sigs] FP with telnet preprocessor...., Joel Esler
Next by Date:  Re: [Snort-sigs] FP with telnet preprocessor...., trains
Previous by Thread:  Re: [Snort-sigs] FP with telnet preprocessor...., Joel Esler
Next by Thread:  Re: [Snort-sigs] FP with telnet preprocessor...., trains
Indexes:  [Date] [Thread] [Top] [All Lists]