| Main Archive Page > Month Archives > snort-users archives |
Re: [Snort-users] ftp_pp: FTP malformed parameter
From: Jason Wallace <jason.r.wallace_at_nospam>Date: Fri Apr 30 2010 - 15:01:06 GMT
To: Snort-Users <snort-users@lists.sourceforge.net>
No they did not but I was using a different config before. When I
switched to 2.6.0 I decided to start with the default settings shipped
with snort for this preprocessor.
Wally
On Fri, Apr 30, 2010 at 10:42 AM, Joel Esler <jesler@sourcefire.com> wrote:
> Yes, that's why they are triggering, did these not trigger before 2.8.6.0?
>
> On Thu, Apr 29, 2010 at 12:44 PM, Jason Wallace <jason.r.wallace@gmail.com>
> wrote:
>>
>> Hi,
>>
>> Just migrated to 2.8.6 and I'm seeing a ton of "ftp_pp: FTP malformed
>> parameter" alerts in BASE.
>>
>> I'm using the default config that came with 2.8.6 for ftp_telnet_protocol:
>>
>> preprocessor ftp_telnet_protocol: ftp server default \
>> def_max_param_len 100 \
>> ports { 21 } \
>> ftp_cmds { USER PASS ACCT CWD SDUP SMNT QUIT REIN PORT PASV TYPE
>> STRU MODE } \
>> ftp_cmds { RETR STOR STOU APPE ALLO REST RNFR RNTO ABOR DELE RMD MKD
>> PWD } \
>> ftp_cmds { LIST NLST SITE SYST STAT HELP NOOP } \
>> ftp_cmds { AUTH ADAT PROT PBSZ CONF ENC } \
>> ftp_cmds { FEAT OPTS CEL CMD MACB } \
>> ftp_cmds { MDTM REST SIZE MLST MLSD } \
>> ftp_cmds { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \
>> alt_max_param_len 0 { CDUP QUIT REIN PASV STOU ABOR PWD SYST NOOP } \
>> alt_max_param_len 100 { MDTM CEL XCWD SITE USER PASS REST DELE RMD
>> SYST TEST STAT MACB EPSV CLNT LPRT } \
>> alt_max_param_len 200 { XMKD NLST ALLO STOU APPE RETR STOR CMD RNFR
>> HELP } \
>> alt_max_param_len 256 { RNTO CWD } \
>> alt_max_param_len 400 { PORT } \
>> alt_max_param_len 512 { SIZE } \
>> chk_str_fmt { USER PASS ACCT CWD SDUP SMNT PORT TYPE STRU MODE } \
>> chk_str_fmt { RETR STOR STOU APPE ALLO REST RNFR RNTO DELE RMD MKD } \
>> chk_str_fmt { LIST NLST SITE SYST STAT HELP } \
>> chk_str_fmt { AUTH ADAT PROT PBSZ CONF ENC } \
>> chk_str_fmt { FEAT OPTS CEL CMD } \
>> chk_str_fmt { MDTM REST SIZE MLST MLSD } \
>> chk_str_fmt { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \
>> cmd_validity MODE < char ASBCZ > \
>> cmd_validity STRU < char FRP > \
>> cmd_validity ALLO < int [ char R int ] > \
>> cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [
>> number ] } > \
>> cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
>> cmd_validity PORT < host_port >
>> #
>> preprocessor ftp_telnet_protocol: ftp client default \
>> max_resp_len 256 \
>> bounce yes \
>> telnet_cmds yes
>>
>>
>> Here are some examples from BASE of what is triggering the alerts...
>>
>>
>> length = 6
>>
>> 000 : 4E 4C 53 54 0D 0A NLST..
>>
>>
>> length = 14
>>
>> 000 : 4F 50 54 53 20 75 74 66 38 20 6F 6E 0D 0A OPTS utf8 on..
>>
>>
>> There are also a lot of these...
>>
>> length = 6
>>
>> 000 : 53 59 53 54 0D 0A SYST..
>>
>>
>>
>> It all looks like legit traffic. Is it chk_str_fmt that is causing
>> these? If so why are they triggering?
>>
>> Thx,
>> Wally
>>
>>
>> ------------------------------------------------------------------------------
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users@lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users