[Snort-users] ftp_pp: FTP malformed parameter

Joel Esler jesler at ...1935...
Fri Apr 30 10:42:44 EDT 2010


Yes, that's why they are triggering, did these *not* trigger before 2.8.6.0?

On Thu, Apr 29, 2010 at 12:44 PM, Jason Wallace
<jason.r.wallace at ...11827...>wrote:

> Hi,
>
> Just migrated to 2.8.6 and I'm seeing a ton of "ftp_pp: FTP malformed
> parameter" alerts in BASE.
>
> I'm using the default config that came with 2.8.6 for ftp_telnet_protocol:
>
> preprocessor ftp_telnet_protocol: ftp server default \
>    def_max_param_len 100 \
>    ports { 21 } \
>    ftp_cmds { USER PASS ACCT CWD SDUP SMNT QUIT REIN PORT PASV TYPE
> STRU MODE } \
>    ftp_cmds { RETR STOR STOU APPE ALLO REST RNFR RNTO ABOR DELE RMD MKD PWD
> } \
>    ftp_cmds { LIST NLST SITE SYST STAT HELP NOOP } \
>    ftp_cmds { AUTH ADAT PROT PBSZ CONF ENC } \
>    ftp_cmds { FEAT OPTS CEL CMD MACB } \
>    ftp_cmds { MDTM REST SIZE MLST MLSD } \
>    ftp_cmds { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \
>    alt_max_param_len 0 { CDUP QUIT REIN PASV STOU ABOR PWD SYST NOOP } \
>    alt_max_param_len 100 { MDTM CEL XCWD SITE USER PASS REST DELE RMD
> SYST TEST STAT MACB EPSV CLNT LPRT } \
>    alt_max_param_len 200 { XMKD NLST ALLO STOU APPE RETR STOR CMD RNFR HELP
> } \
>    alt_max_param_len 256 { RNTO CWD } \
>    alt_max_param_len 400 { PORT } \
>    alt_max_param_len 512 { SIZE } \
>    chk_str_fmt { USER PASS ACCT CWD SDUP SMNT PORT TYPE STRU MODE } \
>    chk_str_fmt { RETR STOR STOU APPE ALLO REST RNFR RNTO DELE RMD MKD } \
>    chk_str_fmt { LIST NLST SITE SYST STAT HELP } \
>    chk_str_fmt { AUTH ADAT PROT PBSZ CONF ENC } \
>    chk_str_fmt { FEAT OPTS CEL CMD } \
>    chk_str_fmt { MDTM REST SIZE MLST MLSD } \
>    chk_str_fmt { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \
>    cmd_validity MODE < char ASBCZ > \
>    cmd_validity STRU < char FRP > \
>    cmd_validity ALLO < int [ char R int ] > \
>    cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [
> number ] } > \
>    cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
>    cmd_validity PORT < host_port >
> #
> preprocessor ftp_telnet_protocol: ftp client default \
>    max_resp_len 256 \
>    bounce yes \
>    telnet_cmds yes
>
>
> Here are some examples from BASE of what is triggering the alerts...
>
>
> length = 6
>
> 000 : 4E 4C 53 54 0D 0A                                 NLST..
>
>
> length = 14
>
> 000 : 4F 50 54 53 20 75 74 66 38 20 6F 6E 0D 0A         OPTS utf8 on..
>
>
> There are also a lot of these...
>
> length = 6
>
> 000 : 53 59 53 54 0D 0A                                 SYST..
>
>
>
> It all looks like legit traffic. Is it chk_str_fmt that is causing
> these? If so why are they triggering?
>
> Thx,
> Wally
>
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100430/94ac31bd/attachment.html>


More information about the Snort-users mailing list