[Snort-sigs] FP with telnet preprocessor....

Justin Heath justin.heath at ...2420...
Tue Aug 21 10:40:14 EDT 2007


You can add the following to your ftptelnet config to stop alerting and
inspecting this data if it is causing an issue.

encrypted_traffic no

Cheers,
Justin


On 8/20/07, Russell Fulton <r.fulton at ...575...> wrote:
>
>  Not exactly a signature issue but this seems to be the best place to
> post.
>
> I've just installed 2.7 and turned on the ftp/telnet preprocessor -- I see
> that the both ftp and telnet are generating these alerts.  I assume that it
> decides stuff is encrypted if it strikes anything that is not in its
> protocol model. In the case of the ftp some of the packets were seriously
> broken but theses telent alterts, like the one below, are from a range of
> systems and all have the same form suggesting that there is something
> lacking in the model.
>
> Russell
>
>   META   SID CID TimeStamp Signature Sig ID  6 8815382 2007-08-20 16:18:15 telnet_pp:
> Telnet data encrypted 2 <http://www.snort.org/snort-db/sid.html?sid=2>    Sensor
> Hostname Sensor Interface  monitor-dmzo.isec.auckland.ac.nz dmz sensor
> IP   Source Address Dest Address Ver Hdr Len TOS length ID flags offset
> TTL chksum  130.216.x.yy 216.155.193.135 4 5 0 89 58040 2 0 126 63296    Resolved
> Source Resolved Dest  abbb.ccc.auckland.ac.nz  cs8.msg.dcn.yahoo.com
> TCP   Source Port Dest Port Seq Ack Offset Reserved Flags Window Checksum Urgent
> Ptr  1262 23 2057010961 1040909924 5 0 24 64816 12746 0    Options  None
> Flags
>   RB 1 RB 0 URG ACK PSH RST SYN FIN
>
>
>  X X
>
>
>     DATA
>
> 594D5347000F0000001D
>
> 00C600000000764AB787
>
> 3130C080393939C08031
>
> 39C080C0803937C08031
>
> C0803437C08032C080
>
>
>              YMSG......
>
> ......vJ..
>
> 10..999..1
>
> 9....97..1
>
> ..47..2..
>
>
>                 ------------------------------
>   DATA
>
> YMSG............vJ..10..999..19....97..1..47..2..
>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems?  Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >>  http://get.splunk.com/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20070821/811f9e42/attachment.html>


More information about the Snort-sigs mailing list