Snort mailing list archives
Re: snort ftp preprocessor alerts on port 2100 ??
From: Steven Sturges <steve.sturges () sourcefire com>
Date: Wed, 09 Jul 2008 09:03:38 -0400
Hi Russell-- This certainly seems strange, given the configuration you provide below... Any chance you can provide a pcap from the packet that generated the alert? I'm wondering if there is a presentation issue in the post-processing software you are using. Cheers. -steve Russell Fulton wrote:
HI I'm seeing ftp preprocessor alerts from traffic on port 2100 and I can't see why. From snort conf: preprocessor ftp_telnet_protocol: ftp server default \ ports { 21 } \ def_max_param_len 100 \ ftp_cmds { USER PASS ACCT CWD CDUP SMNT \ QUIT REIN PORT PASV TYPE STRU MODE RETR STOR STOU APPE ALLO REST \ RNFR RNTO ABOR DELE RMD MKD PWD LIST NLST SITE SYST STAT HELP NOOP } \ ftp_cmds { AUTH ADAT PROT PBSZ CONF ENC } \ ftp_cmds { FEAT OPTS } \ ftp_cmds { MDTM REST SIZE MLST MLSD EPSV } \ alt_max_param_len 0 { CDUP QUIT REIN PASV STOU ABOR PWD SYST NOOP } \ cmd_validity MODE < char ASBCZ > \ cmd_validity STRU < char FRP > \ cmd_validity ALLO < int [ char R int ] > \ cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } > \ cmd_validity PORT < host_port > Which clearly says port 21. Yet I see: META SID CID TimeStamp Signature Sig ID 1 5823276 2008-07-08 13:53:23 ftp_pp: Invalid FTP command 2 Sensor Hostname Sensor Interface monitor-itss.insec.auckland.ac.nz ITSS sector switch IP Source Address Dest Address Ver Hdr Len TOS length ID flags offset TTL chksum 130.216.138.211 130.216.123.59 4 5 0 172 16279 2 0 127 45045 Resolved Source Resolved Dest macula.opt.auckland.ac.nz tamexam8.opt.auckland.ac.nz TCP Source Port Dest Port Seq Ack Offset Reserved Flags Window Checksum Urgent Ptr 1158 2100 2491263236 988172587 5 0 24 65211 58408 0 Options None Flags RB 1 RB 0 URG ACK PSH RST SYN FIN ------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort ftp preprocessor alerts on port 2100 ?? Russell Fulton (Jul 08)
- Re: snort ftp preprocessor alerts on port 2100 ?? Steven Sturges (Jul 21)