[Snort-sigs] FP on ftp_pp: Invalid FTP command where server response split over more than one packets...

Matthew Watchinski mwatchinski at ...435...
Fri Sep 28 10:44:49 EDT 2007


Does your ftptelnet: global line contain "inspection_type stateful" ?

Russell Fulton wrote:
> 
> META 	
> SID 	CID 	TimeStamp 	Signature 	Sig ID
> 6 	9506430 	2007-09-27 16:33:59 	ftp_pp: Invalid FTP command 	2 
> <http://www.snort.org/snort-db/sid.html?sid=2>
> 
> Sensor Hostname 	Sensor Interface
> monitor-dmzo.isec.auckland.ac.nz 	dmz sensor
> 
> IP 	
> Source Address 	Dest Address 	Ver 	Hdr Len 	TOS 	length 	ID 	flags 	offset 
> TTL 	chksum
> 130.216.55.91 	198.119.135.29 	4 	5 	0 	260 	39360 	2 	0 	62 	39531
> 
> Resolved Source 	Resolved Dest
> rdav91.phy.auckland.ac.nz 	l0acg02.larc.nasa.gov
> 
> TCP 	
> Source Port 	Dest Port 	Seq 	Ack 	Offset 	Reserved 	Flags 	Window 	Checksum 
> Urgent Ptr
> 21 	40088 	3619641377 	2537425207 	8 	0 	25 	65535 	838 	0
> 
> Options
> None
> 
> Flags
> 
> RB 1 	RB 0 	URG 	ACK 	PSH 	RST 	SYN 	FIN
> 
> 	
> 	
> 	X 	X 	
> 	
> 	X
> 
> --------------------------------------------------------------------------------
> DATA 	
> 
>     Data traffic for this session was 80726354 bytes in 2 fi
> les...    Total traffic for this session was 80727111 bytes 
> in 2 transfers...221 Thank you for using the FTP service on 
> rdav91.phy.auckland.ac.nz...
> 
> 
>       
> 
> 
> 
> ------------------------------------------------------------------------
> 
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2005.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs





More information about the Snort-sigs mailing list