Re: FTP USER overflow attempt alerts, no logged packets.

[Jim Burwell <jimb () broadvision com>]

I'm getting the same behavior.  This rule will alert, but there will be 
on packet logs.  This is on a RH7.2 system running Snort 1.8.7 installed 
from the RH RPM (binary).  I'm starting snort with "/usr/sbin/snort -D 
-z -I -o -i eth1 -d -l /b/log -c /etc/snort/snort.conf".  The eth1 
interface is a 'stealth listen' set-up with no IP configured.  There 
doesn't seem to be any filesystem problems in the logging directory (out 
of inodes, etc).  Other rules are logging.  

This problem appeared when I upgraded from snort 1.8.6 to snort 1.8.7. 
Seems to be a bug introduced into 1.8.7.  1.8.6 didn't have any of 
these packet logging problems for me.  I couldn't see anything in the 
conf file which would cause ftp rules not to be logged (no specially 
defined type w/ output option, etc).  So this appears to be a bug in 
snort, or perhaps the telnet_decode preprocessor which handles FTP 
sessions also.

- Jim


Dolfred Mascarenhas wrote:

> Hi, 
>
> My snort alerted on the FTP user overflow attempt, as
> detailed below. On checking the logs, I observed that
> no packets were recorded for this alert, despite the
> large number of entries in the alerts file. Offensive
> packets were logged on all other alerts, but not this
> one.
>
> My Snort version is 1.8.7
> Any comments/ideas will be appreciated.
>
> Thanks,
> Dolfred.
>
>
>
> [**] [1:1734:4] FTP USER overflow attempt [**]
> [Classification: Attempted Administrator Privilege
> Gain] [Priority: 1]
> 07/29-10:04:20.610705 0:A0:8E:14:EC:E8 -> 0:0:C:7:AC:0
> type:0x800 len:0xAA
> x.x.x.x:1349 -> x.x.x.x:21 TCP TTL:240 TOS:0x10 ID:0
> IpLen:20 DgmLen:156
> ***AP*** Seq: 0xC7BB95C1 Ack: 0xC7BB95C1 Win: 0x0
> TcpLen: 20
> [Xref => http://www.securityfocus.com/bid/4638] [Snort
> log] 
>
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Health - Feel better, live better
> http://health.yahoo.com
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by: Dice - The leading online job board
> for high-tech professionals. Search and apply for tech jobs today!
> http://seeker.dice.com/seeker.epl?rel_code=31
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

--
+---------------------------------------------------------------------+
|    Jim Burwell - Sr. Systems/Network Admin., Broadvision, Inc.      |
+---------------------------------------------------------------------+
| "I never let my schooling get in the way of my education"-Mark Twain|
| "UNIX was never designed to keep people from doing stupid things,   |
| because that policy would also keep them from doing clever things." |
| "Cool is only three letters away from Fool" - Mike Muir, Suicyco    |
| "..Government in its best state is but a necessary evil; in its     |
| worst state an intolerable one.."-Thomas Paine,"Common Sense"(1776) |
+---------------------------------------------------------------------+
|    Email:  jimb () broadvision com               ICQ UIN:  1695089     |
|             Voice:  650-261-5175  Fax:  650-261-5900                |
+---------------------------------------------------------------------+





-------------------------------------------------------
This sf.net email is sponsored by: Dice - The leading online job board
for high-tech professionals. Search and apply for tech jobs today!
http://seeker.dice.com/seeker.epl?rel_code=31
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users