[Snort-sigs] seeing hits on ftp_pp: FTP malformed parameter

Russell Fulton r.fulton at ...575...
Sun Sep 30 17:06:16 EDT 2007



Matthew Watchinski wrote:
> Have you modified your ftp_telnet_protocol configuration?  Do you have a
> cmd_validty line for MKD ?
>   

No:

preprocessor ftp_telnet_protocol: ftp server default \
   def_max_param_len 100 \
   alt_max_param_len 200 { CWD } \
   cmd_validity MODE < char ASBCZ > \
   cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
   chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \
   ftp_cmds { EPSV XPWD XCWD XCUP XMKD XRMD} \
   telnet_cmds yes \
   data_chan


On a side note I've had to add EPSV to ftp_cmds as many modern
implementations use it -- might be a good idea to add it to the list in
the readme and the default snort.conf.

Russell




More information about the Snort-sigs mailing list