[Snort-devel] Bug in src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c

Russ Combs rcombs at ...402...
Thu Sep 12 13:37:22 EDT 2013


The point of ignore_data_chan is to identify data channels to turn off
reassembly and inspection for better performance on the assumption that
there is nothing worth looking at in the file, directory listing, etc.  If
you need to inspect that, you want "ignore_data_chan no" AND the
appropriate ports / services configured in stream5.  Since the data channel
may be on port 20 or may be elsewhere, try setting "stream5_tcp: ports both
all" to see if you can get the reassembly you are looking for.

Also, how are you checking for reassembly?  Nominally, the reassembly will
be different for ftp than http.  You may only reassembled segments of
2*1460 or whatever.  You can set "stream5_global: show_rebuilt_packets.




On Thu, Sep 12, 2013 at 12:46 PM, Reinoud Koornstra <sockstat at ...445...>wrote:

> Hi,
>
> The code looked correct to me too, but didn't work the way i hoped for.
> What I was trying to achieve is to get a stream reassembly for ftp like
> it's done for http and other protocol.
> Every 4 al more full mtu packets I saw that snort reassembled some packet
> content together to a big packet of 17k bytes.
> It doesn't do this for ftp, stream reassembly doesn't seem to work there.
> I thought it was due to my inability to get identity open data channel
> going as everytime when snort starts it said it was not active, even though
> i had
> ignore_data_chan no in my ftp config as you can see below.
> With this argument, identify open data channel still wouldn't be on and i
> instrumented the code to see.
> Even with this argument if (!strcasecmp("yes", pcToken)) doesn't trigger
> and doesn't match.
> In the current code with ignore_data_chan is set to no,
> ServerConf->data_chan is set to 0.
>
> Also, is stream reassembly happening with ftp-data packets like with http
> etc?
> I never see packets of 17k being formed and inspected by snort like it
> does with http.
> Thanks,
>
> Reinoud.
>
>
> # FTP / Telnet normalization and anomaly detection.  For more information,
> see README.ftptelnet
> preprocessor ftp_telnet: global inspection_type stateful encrypted_traffic
> no check_encrypted
> preprocessor ftp_telnet_protocol: telnet \
>     ayt_attack_thresh 20 \
>     normalize ports { 23 } \
>     detect_anomalies
> preprocessor ftp_telnet_protocol: ftp server default \
>     def_max_param_len 100 \
>     ports { 21 2100 3535 } \
>     telnet_cmds yes \
>     ignore_telnet_erase_cmds yes \
>     ignore_data_chan no \
>     ftp_cmds { ABOR ACCT ADAT ALLO APPE AUTH CCC CDUP } \
>     ftp_cmds { CEL CLNT CMD CONF CWD DELE ENC EPRT } \
>     ftp_cmds { EPSV ESTA ESTP FEAT HELP LANG LIST LPRT } \
>     ftp_cmds { LPSV MACB MAIL M DTM MIC MKD MLSD MLST } \
>     ftp_cmds { MODE NLST NOOP OPTS PASS PASV PBSZ PORT } \
>     ftp_cmds { PROT PWD QUIT REIN REST RETR RMD RNFR } \
>     ftp_cmds { RNTO SDUP SITE SIZE SMNT STAT STOR STOU } \
>     ftp_cmds { STRU SYST TEST TYPE USER XCUP XCRC XCWD } \
>     ftp_cmds { XMAS XMD5 XMKD XPWD XRCP XRMD XRSQ XSEM } \
>     ftp_cmds { XSEN XSHA1 XSHA256 } \
>     alt_max_param_len 0 { ABOR CCC CDUP ESTA FEAT LPSV NOOP PASV PWD QUIT
> REIN STOU SYST XCUP XPWD } \
>     alt_max_param_len 200 { ALLO APPE CMD HELP NLST RETR RNFR STOR STOU
> XMKD } \
>     alt_max_param_len 256 { CWD RNTO } \
>     alt_max_param_len 400 { PORT } \
>     alt_max_param_len 512 { SIZE } \
>     chk_str_fmt { ACCT ADAT ALLO APPE AUTH CEL CLNT CMD } \
>     chk_str_fmt { CONF CWD DELE ENC EPRT EPSV ESTP HELP } \
>     chk_str_fmt { LANG LIST LPRT MACB MAIL MDTM MIC MKD } \
>     chk_str_fmt { MLSD MLST MODE NLST OPTS PASS PBSZ PORT } \
>     chk_str_fmt { PROT REST RETR RMD RNFR RNTO SDUP SITE } \
>     chk_str_fmt { SIZE SMNT STAT STOR STRU TEST TYPE USER } \
>     chk_str_fmt { XCRC XCWD XMAS XMD5 XMKD XRCP XRMD XRSQ } \
>     chk_str_fmt { XSEM XSEN XSHA1 XSHA256 } \
>     cmd_validity ALLO < int [ char R int ] > \
>     cmd_validity EPSV < [ { char 12 | char A char L char L } ] > \
>     cmd_validity MACB < string > \
>     cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
>     cmd_validity MODE < char ASBCZ > \
>     cmd_validity PORT < host_port > \
>     cmd_validity PROT < char CSEP > \
>     cmd_validity STRU < char FRPO [ string ] > \
>     cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number
> ] } >
> preprocessor ftp_telnet_protocol: ftp client default \
>
>
>  ------------------------------
> Date: Thu, 12 Sep 2013 11:09:33 -0400
> Subject: Re: [Snort-devel] Bug in
> src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c
> From: rcombs at ...402...
> To: sockstat at ...445...
> CC: snort-devel at lists.sourceforge.net
>
>
>   Hi.  That code looks correct w/o patching.  strncasecmp(a,b) returns
> zero if a matches b.
>
> I'm not clear on the issue that you are having.  What is your ftp
> configuration and what are you trying to do?
>
> Let me know and we'll try to get it figured out.
>
> Thanks
> Russ
>
>
>
> On Thu, Sep 12, 2013 at 3:30 AM, Reinoud Koornstra <sockstat at ...445...>wrote:
>
>  Hi Everyone,
>
> I've been struggeling with trying to get trying to active this option
> Identify open data channels.
> Even with the parameter ignore_data_chan no, it wouldn't activate.
> After some instrumentation I found that we were turning it off because of
> a comparison that didn't go right.
> Even with ignore_data_chan set to no, we'd still come in the else if which
> wasn't correct.
> Here's a fix to the problem:
>
> ---- src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c.orig 2013-09-12
> 00:17:29.301433818 -0700
> +++ src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c 2013-09-12
> 00:21:54.441437865 -0700
> @@ -1403,11 +1403,11 @@
>                                           confOption);
>          return FTPP_FATAL_ERR;
>      }
> -    if (!strcasecmp("yes", pcToken))
> +    if (strncmp("yes", pcToken, 3) != 0)
>      {
>          ServerConf->data_chan = 1;
>      }
> -    else if (!strcasecmp("no", pcToken))
> +    else if (strncmp("no", pcToken, 2) != 0)
>      {
>          if (ServerConf->data_chan == 1)
>          {
>
> Thanks,
>
> Reinoud.
>
>
> ------------------------------------------------------------------------------
> How ServiceNow helps IT people transform IT departments:
> 1. Consolidate legacy IT systems to a single system of record for IT
> 2. Standardize and globalize service processes across IT
> 3. Implement zero-touch automation to replace manual, redundant tasks
> http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20130912/85c5ec74/attachment.html>


More information about the Snort-devel mailing list