[Snort-sigs] seeing hits on ftp_pp: FTP malformed parameter

Matthew Watchinski mwatchinski at ...435...
Fri Sep 28 10:54:00 EDT 2007


Have you modified your ftp_telnet_protocol configuration?  Do you have a
cmd_validty line for MKD ?

Russell Fulton wrote:
> Why is it throwing these out?   Snort 2.7.0.1...
> 
> Russell
> 
> META 	
> SID 	CID 	TimeStamp 	Signature 	Sig ID
> 6 	9505847 	2007-09-27 15:49:58 	ftp_pp: FTP malformed parameter 	4 
> <http://www.snort.org/snort-db/sid.html?sid=4>
> 
> Sensor Hostname 	Sensor Interface
> monitor-dmzo.isec.auckland.ac.nz 	dmz sensor
> 
> IP 	
> Source Address 	Dest Address 	Ver 	Hdr Len 	TOS 	length 	ID 	flags 	offset 
> TTL 	chksum
> 130.216.99.108 	203.17.179.68 	4 	5 	0 	56 	5934 	2 	0 	126 	33015
> 
> Resolved Source 	Resolved Dest
> wks-810-417-4.bae.auckland.ac.nz 	Could Not Resolve
> 
> TCP 	
> Source Port 	Dest Port 	Seq 	Ack 	Offset 	Reserved 	Flags 	Window 	Checksum 
> Urgent Ptr
> 4205 	21 	938221803 	849233450 	5 	0 	24 	63757 	62384 	0
> 
> Options
> None
> 
> Flags
> 
> RB 1 	RB 0 	URG 	ACK 	PSH 	RST 	SYN 	FIN
> 
> 	
> 	
> 	X 	X 	
> 	
> 	
> 
> DATA 	
> 
> 4D4B44204E657720466F
> 
> 6C6465720D0A
> 
> 
>             
> 
> 	
> 
> MKD New Fo
> 
> lder..
> 
> 
> 
> ------------------------------------------------------------------------
> 
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2005.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs





More information about the Snort-sigs mailing list