[Snort-users] Can't get Identify open data channels to YES

Joel Esler jesler at ...1935...
Thu Sep 12 11:31:54 EDT 2013


Essentially the problem is that the message is wrong when Snort starts.  It should say “Ignore Open Data Channels” instead of “Identify Open Data Channels”

But look at the last line you pasted in your config there.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

On Sep 11, 2013, at 5:19 PM, Reinoud Koornstra <sockstat at ...125...> wrote:

> Hi Everyone,
>  
> I am trying to get the ftp data to be checked completely.
> When running snort it tells me:
>  
>     FTP CONFIG:
>       FTP Server: default
>         Ports (PAF): 21 2100 3535 
>         Check for Telnet Cmds: YES alert: YES
>         Ignore Telnet Cmd Operations: YES alert: YES
>         Identify open data channels: NO
> 
> How can i get Identify open data channels to YES?
> Here the part of my snort.conf that matters:
>  
> preprocessor ftp_telnet: global inspection_type stateful encrypted_traffic no check_encrypted
> preprocessor ftp_telnet_protocol: telnet \
>     ayt_attack_thresh 20 \
>     normalize ports { 23 } \
>     detect_anomalies
> preprocessor ftp_telnet_protocol: ftp server default \
>     def_max_param_len 100 \
>     ports { 21 2100 3535 } \
>     telnet_cmds yes \
>     ignore_telnet_erase_cmds yes \
>     ignore_data_chan no \
> 
> What am I doing wrong?
> Thanks,
>  
> Reinoud.
> ------------------------------------------------------------------------------
> How ServiceNow helps IT people transform IT departments:
> 1. Consolidate legacy IT systems to a single system of record for IT
> 2. Standardize and globalize service processes across IT
> 3. Implement zero-touch automation to replace manual, redundant tasks
> http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk_______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130912/31e68cb1/attachment.html>


More information about the Snort-users mailing list