[Snort-sigs] FP on ftp_pp: Invalid FTP command where server response split over more than one packets...

Russell Fulton r.fulton at ...575...
Fri Sep 28 22:18:53 EDT 2007



Matthew Watchinski wrote:
> Does your ftptelnet: global line contain "inspection_type stateful" ?
>   

yes:

preprocessor ftp_telnet: global \
   encrypted_traffic no \
   inspection_type stateful

preprocessor ftp_telnet_protocol: telnet \
   normalize \
   ayt_attack_thresh 200

# This is consistent with the FTP rules as of 18 Sept 2004.
# CWD can have param length of 200
# MODE has an additional mode of Z (compressed)
# Check for string formats in USER & PASS commands
# Check nDTM commands that set modification time on the file.
preprocessor ftp_telnet_protocol: ftp server default \
   def_max_param_len 100 \
   alt_max_param_len 200 { CWD } \
   cmd_validity MODE < char ASBCZ > \
   cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
   chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \
   ftp_cmds { EPSV XPWD XCWD XCUP XMKD XRMD } \
   telnet_cmds yes \
   data_chan

preprocessor ftp_telnet_protocol: ftp client default \
   max_resp_len 256 \
   bounce yes \
   telnet_cmds yes

> Russell Fulton wrote:
>   
>> META 	
>> SID 	CID 	TimeStamp 	Signature 	Sig ID
>> 6 	9506430 	2007-09-27 16:33:59 	ftp_pp: Invalid FTP command 	2 
>> <http://www.snort.org/snort-db/sid.html?sid=2>
>>
>> Sensor Hostname 	Sensor Interface
>> monitor-dmzo.isec.auckland.ac.nz 	dmz sensor
>>
>> IP 	
>> Source Address 	Dest Address 	Ver 	Hdr Len 	TOS 	length 	ID 	flags 	offset 
>> TTL 	chksum
>> 130.216.55.91 	198.119.135.29 	4 	5 	0 	260 	39360 	2 	0 	62 	39531
>>
>> Resolved Source 	Resolved Dest
>> rdav91.phy.auckland.ac.nz 	l0acg02.larc.nasa.gov
>>
>> TCP 	
>> Source Port 	Dest Port 	Seq 	Ack 	Offset 	Reserved 	Flags 	Window 	Checksum 
>> Urgent Ptr
>> 21 	40088 	3619641377 	2537425207 	8 	0 	25 	65535 	838 	0
>>
>> Options
>> None
>>
>> Flags
>>
>> RB 1 	RB 0 	URG 	ACK 	PSH 	RST 	SYN 	FIN
>>
>> 	
>> 	
>> 	X 	X 	
>> 	
>> 	X
>>
>> --------------------------------------------------------------------------------
>> DATA 	
>>
>>     Data traffic for this session was 80726354 bytes in 2 fi
>> les...    Total traffic for this session was 80727111 bytes 
>> in 2 transfers...221 Thank you for using the FTP service on 
>> rdav91.phy.auckland.ac.nz...
>>
>>
>>       
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>> -------------------------------------------------------------------------
>> This SF.net email is sponsored by: Microsoft
>> Defy all challenges. Microsoft(R) Visual Studio 2005.
>> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>     
>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2005.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>   




More information about the Snort-sigs mailing list