Re: ftp_pp: FTP malformed parameter

[Jason Wallace <jason.r.wallace () gmail com>]

I'm still trying to figure this one out. Any ideas?

Thx,
Wally

On Thu, Apr 29, 2010 at 12:44 PM, Jason Wallace
<jason.r.wallace () gmail com> wrote:
> Hi,
>
> Just migrated to 2.8.6 and I'm seeing a ton of "ftp_pp: FTP malformed
> parameter" alerts in BASE.
>
> I'm using the default config that came with 2.8.6 for ftp_telnet_protocol:
>
> preprocessor ftp_telnet_protocol: ftp server default \
>    def_max_param_len 100 \
>    ports { 21 } \
>    ftp_cmds { USER PASS ACCT CWD SDUP SMNT QUIT REIN PORT PASV TYPE
> STRU MODE } \
>    ftp_cmds { RETR STOR STOU APPE ALLO REST RNFR RNTO ABOR DELE RMD MKD PWD } \
>    ftp_cmds { LIST NLST SITE SYST STAT HELP NOOP } \
>    ftp_cmds { AUTH ADAT PROT PBSZ CONF ENC } \
>    ftp_cmds { FEAT OPTS CEL CMD MACB } \
>    ftp_cmds { MDTM REST SIZE MLST MLSD } \
>    ftp_cmds { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \
>    alt_max_param_len 0 { CDUP QUIT REIN PASV STOU ABOR PWD SYST NOOP } \
>    alt_max_param_len 100 { MDTM CEL XCWD SITE USER PASS REST DELE RMD
> SYST TEST STAT MACB EPSV CLNT LPRT } \
>    alt_max_param_len 200 { XMKD NLST ALLO STOU APPE RETR STOR CMD RNFR HELP } \
>    alt_max_param_len 256 { RNTO CWD } \
>    alt_max_param_len 400 { PORT } \
>    alt_max_param_len 512 { SIZE } \
>    chk_str_fmt { USER PASS ACCT CWD SDUP SMNT PORT TYPE STRU MODE } \
>    chk_str_fmt { RETR STOR STOU APPE ALLO REST RNFR RNTO DELE RMD MKD } \
>    chk_str_fmt { LIST NLST SITE SYST STAT HELP } \
>    chk_str_fmt { AUTH ADAT PROT PBSZ CONF ENC } \
>    chk_str_fmt { FEAT OPTS CEL CMD } \
>    chk_str_fmt { MDTM REST SIZE MLST MLSD } \
>    chk_str_fmt { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \
>    cmd_validity MODE < char ASBCZ > \
>    cmd_validity STRU < char FRP > \
>    cmd_validity ALLO < int [ char R int ] > \
>    cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [
> number ] } > \
>    cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
>    cmd_validity PORT < host_port >
> #
> preprocessor ftp_telnet_protocol: ftp client default \
>    max_resp_len 256 \
>    bounce yes \
>    telnet_cmds yes
>
>
> Here are some examples from BASE of what is triggering the alerts...
>
>
> length = 6
>
> 000 : 4E 4C 53 54 0D 0A                                 NLST..
>
>
> length = 14
>
> 000 : 4F 50 54 53 20 75 74 66 38 20 6F 6E 0D 0A         OPTS utf8 on..
>
>
> There are also a lot of these...
>
> length = 6
>
> 000 : 53 59 53 54 0D 0A                                 SYST..
>
>
>
> It all looks like legit traffic. Is it chk_str_fmt that is causing
> these? If so why are they triggering?
>
> Thx,
> Wally

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users