[Snort-devel] portscan and FTP
nathan at ...1839...
Thu Mar 20 14:03:02 EST 2003
I'm posting this to devel, as I think perhaps this could be a future
enhancement (or perhaps I'm nuts, and missing the obvious). It's well
known that the portscan preprocessor can trigger on a large series of
FTP data connections (PASV mode, of course - inbound to server).
Active mode is ok, since the server is initiating the connections..
It's this darn passive mode that's tying me up. There are a few
solutions, though, in order from worst idea to best.
1) Naturally, don't offer passive mode ftp.
This is hardly viable because most browsers only support passive mode
and also because you have to have passive mode for client side firewall
2) Limit your ftp server's passive ports to some small range, and set
snort to filter out that range of tcp traffic.
I don't like this one too much because you're partially covering
snort's eyes, and that ain't good for intrusion detection..
3) Add some IQ to portscan to be able to specify port ranges to ignore
This is slightly better than 2, as at least snort is still checking
these packets out. Just not portscan. Still don't like it, though.
4) Add some IQ to snort / portscan to know about PASV and PORT ftp
This I like best, but it is also hardest to implement. :( Basically,
add some intelligence in snort and or portscan to recognize the PASV
command and also the PORT commands, such that portscan can then ignore
connections *from that host* to *that port* (of course, with some sort
of expiration on this set). This yields the most amount of power and
control, and allows snort and portscan to still function fully. And
this makes me happy.
So, am I missing anything? Is there maybe a better way to solve my
problem? If not, how hard would it be to implement #3 or #4?
Thanks for your time,
More information about the Snort-devel