Snort mailing list archives
Re: FTP USER overflow attempt alerts, no logged packets.
From: Jim Burwell <jimb () broadvision com>
Date: Wed, 31 Jul 2002 14:08:15 -0700
I'm getting the same behavior. This rule will alert, but there will be on packet logs. This is on a RH7.2 system running Snort 1.8.7 installed from the RH RPM (binary). I'm starting snort with "/usr/sbin/snort -D -z -I -o -i eth1 -d -l /b/log -c /etc/snort/snort.conf". The eth1 interface is a 'stealth listen' set-up with no IP configured. There doesn't seem to be any filesystem problems in the logging directory (out of inodes, etc). Other rules are logging. This problem appeared when I upgraded from snort 1.8.6 to snort 1.8.7. Seems to be a bug introduced into 1.8.7. 1.8.6 didn't have any of these packet logging problems for me. I couldn't see anything in the conf file which would cause ftp rules not to be logged (no specially defined type w/ output option, etc). So this appears to be a bug in snort, or perhaps the telnet_decode preprocessor which handles FTP sessions also.
- Jim Dolfred Mascarenhas wrote:
Hi,My snort alerted on the FTP user overflow attempt, as detailed below. On checking the logs, I observed that no packets were recorded for this alert, despite the large number of entries in the alerts file. Offensive packets were logged on all other alerts, but not this one. My Snort version is 1.8.7 Any comments/ideas will be appreciated. Thanks, Dolfred. [**] [1:1734:4] FTP USER overflow attempt [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] 07/29-10:04:20.610705 0:A0:8E:14:EC:E8 -> 0:0:C:7:AC:0 type:0x800 len:0xAA x.x.x.x:1349 -> x.x.x.x:21 TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:156 ***AP*** Seq: 0xC7BB95C1 Ack: 0xC7BB95C1 Win: 0x0 TcpLen: 20 [Xref => http://www.securityfocus.com/bid/4638] [Snortlog]__________________________________________________ Do You Yahoo!? Yahoo! Health - Feel better, live better http://health.yahoo.com ------------------------------------------------------- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- +---------------------------------------------------------------------+ | Jim Burwell - Sr. Systems/Network Admin., Broadvision, Inc. | +---------------------------------------------------------------------+ | "I never let my schooling get in the way of my education"-Mark Twain| | "UNIX was never designed to keep people from doing stupid things, | | because that policy would also keep them from doing clever things." | | "Cool is only three letters away from Fool" - Mike Muir, Suicyco | | "..Government in its best state is but a necessary evil; in its | | worst state an intolerable one.."-Thomas Paine,"Common Sense"(1776) | +---------------------------------------------------------------------+ | Email: jimb () broadvision com ICQ UIN: 1695089 | | Voice: 650-261-5175 Fax: 650-261-5900 | +---------------------------------------------------------------------+ ------------------------------------------------------- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- FTP USER overflow attempt alerts, no logged packets. Dolfred Mascarenhas (Jul 31)
- Re: FTP USER overflow attempt alerts, no logged packets. Jim Burwell (Jul 31)