[Snort-devel] portscan and FTP

Nathan Isburgh nathan at ...1839...
Thu Mar 20 14:03:02 EST 2003


   I'm posting this to devel, as I think perhaps this could be a future 
enhancement (or perhaps I'm nuts, and missing the obvious).  It's well 
known that the portscan preprocessor can trigger on a large series of 
FTP data connections (PASV mode, of course - inbound to server).  
Active mode is ok, since the server is initiating the connections..  
It's this darn passive mode that's tying me up.  There are a few 
solutions, though, in order from worst idea to best.

1) Naturally, don't offer passive mode ftp.

This is hardly viable because most browsers only support passive mode 
and also because you have to have passive mode for client side firewall 

2) Limit your ftp server's passive ports to some small range, and set 
snort to filter out that range of tcp traffic.

I don't like this one too much because you're partially covering 
snort's eyes, and that ain't good for intrusion detection..

3) Add some IQ to portscan to be able to specify port ranges to ignore

This is slightly better than 2, as at least snort is still checking 
these packets out.  Just not portscan.  Still don't like it, though.

4) Add some IQ to snort / portscan to know about PASV and PORT ftp 

This I like best, but it is also hardest to implement.  :(  Basically, 
add some intelligence in snort and or portscan to recognize the PASV 
command and also the PORT commands, such that portscan can then ignore 
connections *from that host* to *that port* (of course, with some sort 
of expiration on this set).  This yields the most amount of power and 
control, and allows snort and portscan to still function fully.  And 
this makes me happy.

So, am I missing anything?  Is there maybe a better way to solve my 
problem?  If not, how hard would it be to implement #3 or #4?

Thanks for your time,
Nathan Isburgh

More information about the Snort-devel mailing list