[Snort-users] FTP USER overflow attempt alerts, no logged packets.

Jim Burwell jimb at ...6373...
Wed Jul 31 14:09:02 EDT 2002


I'm getting the same behavior.  This rule will alert, but there will be 
on packet logs.  This is on a RH7.2 system running Snort 1.8.7 installed 
from the RH RPM (binary).  I'm starting snort with "/usr/sbin/snort -D 
-z -I -o -i eth1 -d -l /b/log -c /etc/snort/snort.conf".  The eth1 
interface is a 'stealth listen' set-up with no IP configured.  There 
doesn't seem to be any filesystem problems in the logging directory (out 
of inodes, etc).  Other rules are logging.  

This problem appeared when I upgraded from snort 1.8.6 to snort 1.8.7. 
 Seems to be a bug introduced into 1.8.7.  1.8.6 didn't have any of 
these packet logging problems for me.  I couldn't see anything in the 
conf file which would cause ftp rules not to be logged (no specially 
defined type w/ output option, etc).  So this appears to be a bug in 
snort, or perhaps the telnet_decode preprocessor which handles FTP 
sessions also.

- Jim


Dolfred Mascarenhas wrote:

>Hi, 
>
>My snort alerted on the FTP user overflow attempt, as
>detailed below. On checking the logs, I observed that
>no packets were recorded for this alert, despite the
>large number of entries in the alerts file. Offensive
>packets were logged on all other alerts, but not this
>one.
>
>My Snort version is 1.8.7
>Any comments/ideas will be appreciated.
>
>Thanks,
>Dolfred.
>
>
>
>[**] [1:1734:4] FTP USER overflow attempt [**]
>[Classification: Attempted Administrator Privilege
>Gain] [Priority: 1]
>07/29-10:04:20.610705 0:A0:8E:14:EC:E8 -> 0:0:C:7:AC:0
>type:0x800 len:0xAA
>x.x.x.x:1349 -> x.x.x.x:21 TCP TTL:240 TOS:0x10 ID:0
>IpLen:20 DgmLen:156
>***AP*** Seq: 0xC7BB95C1 Ack: 0xC7BB95C1 Win: 0x0
>TcpLen: 20
>[Xref => http://www.securityfocus.com/bid/4638] [Snort
>log] 
>
>__________________________________________________
>Do You Yahoo!?
>Yahoo! Health - Feel better, live better
>http://health.yahoo.com
>
>
>-------------------------------------------------------
>This sf.net email is sponsored by: Dice - The leading online job board
>for high-tech professionals. Search and apply for tech jobs today!
>http://seeker.dice.com/seeker.epl?rel_code=31
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>

-- 
+---------------------------------------------------------------------+
|    Jim Burwell - Sr. Systems/Network Admin., Broadvision, Inc.      |
+---------------------------------------------------------------------+
| "I never let my schooling get in the way of my education"-Mark Twain|
| "UNIX was never designed to keep people from doing stupid things,   |
| because that policy would also keep them from doing clever things." |
| "Cool is only three letters away from Fool" - Mike Muir, Suicyco    |
| "..Government in its best state is but a necessary evil; in its     |
| worst state an intolerable one.."-Thomas Paine,"Common Sense"(1776) |
+---------------------------------------------------------------------+
|    Email:  jimb at ...6373...               ICQ UIN:  1695089     |
|             Voice:  650-261-5175  Fax:  650-261-5900                |
+---------------------------------------------------------------------+







More information about the Snort-users mailing list