Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-users] ftp preprocessor problem

from [Todd Wease] Network Security [Permanent Link]
Subject: Re: [Snort-users] ftp preprocessor problem
Date: Fri, 29 Feb 2008 10:45:16 -0500 
So you're only getting alerts relating to the LIST command?  I would 
recommend removing the line:

cmd_validity LIST < [ string ] >

This means nothing or anything after the LIST command and really has no 
effect.

Looks like a potential bug in the case where there is no argument to the 
command and the validity check only has optional parameters.

Thanks,
Todd

serdar uzun wrote:

Hi,

preprocessor ftp_telnet: \
    global \
    encrypted_traffic yes \
    check_encrypted \
    inspection_type stateful

preprocessor ftp_telnet_protocol: \
    telnet \
    ayt_attack_thresh 20 \
    normalize ports { 23 } \
    detect_anomalies

preprocessor ftp_telnet_protocol: \
    ftp server default \
    def_max_param_len 100 \
    ports { 21 2100 } \
    ftp_cmds { USER PASS ACCT CWD SDUP SMNT QUIT REIN PORT PASV TYPE STRU 
MODE } \
    ftp_cmds { RETR STOR STOU APPE ALLO REST RNFR RNTO ABOR DELE RMD MKD PWD 
} \
    ftp_cmds { LIST NLST SITE SYST STAT HELP NOOP } \
    ftp_cmds { AUTH ADAT PROT PBSZ CONF ENC } \
    ftp_cmds { FEAT OPTS CEL CMD MACB } \
    ftp_cmds { MDTM REST SIZE MLST MLSD } \
    ftp_cmds { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \
    alt_max_param_len 0 { CDUP FEAT QUIT REIN PASV STOU ABOR PWD SYST NOOP } \
    alt_max_param_len 100 { OPTS LIST MDTM CEL XCWD SITE USER PASS REST DELE 
RMD TEST STAT MACB EPSV CLNT LPRT } \
    alt_max_param_len 200 { XMKD NLST ALLO STOU APPE RETR STOR CMD RNFR HELP 
} \
        alt_max_param_len 256 { RNTO CWD } \
    alt_max_param_len 400 { PORT } \
        alt_max_param_len 512 { SIZE } \
    chk_str_fmt { USER PASS ACCT CWD SDUP SMNT PORT TYPE STRU MODE } \
    chk_str_fmt { LIST RETR STOR STOU APPE ALLO REST RNFR RNTO DELE RMD MKD } 
\
    chk_str_fmt { NLST SITE STAT HELP } \
    chk_str_fmt { AUTH ADAT PROT PBSZ CONF ENC } \
    chk_str_fmt { OPTS CEL CMD } \
    chk_str_fmt { MDTM REST SIZE MLST MLSD } \
    chk_str_fmt { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \
    cmd_validity MODE < char ASBCZ > \
    cmd_validity STRU < char FRP > \
    cmd_validity LIST < [ string ] > \
    cmd_validity ALLO < int [ char R int ] > \
    cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } 

\

    cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
    cmd_validity PORT < host_port >

preprocessor ftp_telnet_protocol: \
    ftp client default \
    max_resp_len 200 \
    bounce yes \
    telnet_cmds no

(2) ftp_pp: FTP malformed parameter

in the packet portion I see only LIST command. (exactly this: LIST..  )

Todd Wease <twease@sourcefire.com> wrote: Hi Serdar,

(1) Can you post your entire ftptelnet configuration?
(2) Can you post the exact alerts you are seeing?

Thanks,
Todd

serdar uzun wrote:

 Hi,

 Snort alerts all ftp commands such as LIST, OPTS. The config of the
 ftp
 preprocessor is

 ftp_cmds { LIST NLST SITE SYST STAT HELP NOOP } \
 chk_str_fmt { LIST RETR STOR STOU APPE ALLO REST RNFR RNTO DELE RMD
 MKD } \
 cmd_validity LIST < [ string ] > \

 what may be the reason?

 my snort version is snort-2.8.0.1.



       
---------------------------------
Looking for last minute shopping deals?  Find them fast with Yahoo! Search.


------------------------------------------------------------------------

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/


------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




       
---------------------------------
Be a better friend, newshound, and know-it-all with Yahoo! Mobile.  Try it 
now.



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Snort-users] ftp preprocessor problem, serdar uzun
Next by Date:  Re: [Snort-users] ftp preprocessor problem, Todd Wease
Previous by Thread:  [Snort-users] ftp preprocessor problem, serdar uzun
Next by Thread:  Re: [Snort-users] ftp preprocessor problem, Todd Wease
Indexes:  [Date] [Thread] [Top] [All Lists]