Network Security: Detailed info on [Snort-users] snort ftp preprocessor alerts on port 2100 ??

Subject:	[Snort-users] snort ftp preprocessor alerts on port 2100 ??
Date:	Wed, 9 Jul 2008 09:37:43 +1200

HI

I'm seeing ftp preprocessor alerts from traffic on port 2100 and I  
can't see why.

 From snort conf:

preprocessor ftp_telnet_protocol: ftp server default \
   ports { 21 } \
   def_max_param_len 100 \
   ftp_cmds { USER PASS ACCT CWD CDUP SMNT \
     QUIT REIN PORT PASV TYPE STRU MODE RETR STOR STOU APPE ALLO REST \
     RNFR RNTO ABOR DELE RMD MKD PWD LIST NLST SITE SYST STAT HELP  
NOOP } \
   ftp_cmds { AUTH ADAT PROT PBSZ CONF ENC } \
   ftp_cmds { FEAT OPTS } \
   ftp_cmds { MDTM REST SIZE MLST MLSD EPSV } \
   alt_max_param_len 0 { CDUP QUIT REIN PASV STOU ABOR PWD SYST NOOP } \
   cmd_validity MODE < char ASBCZ > \
   cmd_validity STRU < char FRP > \
   cmd_validity ALLO < int [ char R int ] > \
   cmd_validity TYPE < { char AE [ char NTC ] | char I | char L  
[ number ] } > \
   cmd_validity PORT < host_port >

Which clearly says port 21.

Yet I see:

META    
SID     CID     TimeStamp       Signature       Sig ID
1       5823276 2008-07-08 13:53:23     ftp_pp: Invalid FTP command     2
Sensor Hostname Sensor Interface
monitor-itss.insec.auckland.ac.nz       ITSS sector switch
IP      
Source Address  Dest Address    Ver     Hdr Len TOS     length  ID      flags   
offset  TTL      
chksum
130.216.138.211 130.216.123.59  4       5       0       172     16279   2       
0       127     45045
Resolved Source Resolved Dest
macula.opt.auckland.ac.nz       tamexam8.opt.auckland.ac.nz
TCP     
Source Port     Dest Port       Seq     Ack     Offset  Reserved        Flags   
Window  Checksum         
Urgent Ptr
1158    2100    2491263236      988172587       5       0       24      65211   
58408   0
Options
None
Flags
RB 1    RB 0    URG     ACK     PSH     RST     SYN     FIN


-------------------------------------------------------------------------
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

<Prev in Thread]	Current Thread	[Next in Thread>
[Snort-users] snort ftp preprocessor alerts on port 2100 ??, Russell Fulton <= Re: [Snort-users] snort ftp preprocessor alerts on port 2100 ??, Steven Sturges

Previous by Date:	Re: [Snort-users] OT: change msg option in rules files with oinkmaster, Markus Lude
Next by Date:	Re: [Snort-users] WEB-CLIENT Excel malformed FBI record - False positive?, Jesper Skou Jensen
Previous by Thread:	[Snort-users] OT: change msg option in rules files with oinkmaster, carlopmart
Next by Thread:	Re: [Snort-users] snort ftp preprocessor alerts on port 2100 ??, Steven Sturges
Indexes:	[Date] [Thread] [Top] [All Lists]