Snort mailing list archives
Re: ftp_pp: FTP malformed parameter
From: Jason Wallace <jason.r.wallace () gmail com>
Date: Fri, 30 Apr 2010 10:18:24 -0400
I'm still trying to figure this one out. Any ideas? Thx, Wally On Thu, Apr 29, 2010 at 12:44 PM, Jason Wallace <jason.r.wallace () gmail com> wrote:
Hi, Just migrated to 2.8.6 and I'm seeing a ton of "ftp_pp: FTP malformed parameter" alerts in BASE. I'm using the default config that came with 2.8.6 for ftp_telnet_protocol: preprocessor ftp_telnet_protocol: ftp server default \ def_max_param_len 100 \ ports { 21 } \ ftp_cmds { USER PASS ACCT CWD SDUP SMNT QUIT REIN PORT PASV TYPE STRU MODE } \ ftp_cmds { RETR STOR STOU APPE ALLO REST RNFR RNTO ABOR DELE RMD MKD PWD } \ ftp_cmds { LIST NLST SITE SYST STAT HELP NOOP } \ ftp_cmds { AUTH ADAT PROT PBSZ CONF ENC } \ ftp_cmds { FEAT OPTS CEL CMD MACB } \ ftp_cmds { MDTM REST SIZE MLST MLSD } \ ftp_cmds { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \ alt_max_param_len 0 { CDUP QUIT REIN PASV STOU ABOR PWD SYST NOOP } \ alt_max_param_len 100 { MDTM CEL XCWD SITE USER PASS REST DELE RMD SYST TEST STAT MACB EPSV CLNT LPRT } \ alt_max_param_len 200 { XMKD NLST ALLO STOU APPE RETR STOR CMD RNFR HELP } \ alt_max_param_len 256 { RNTO CWD } \ alt_max_param_len 400 { PORT } \ alt_max_param_len 512 { SIZE } \ chk_str_fmt { USER PASS ACCT CWD SDUP SMNT PORT TYPE STRU MODE } \ chk_str_fmt { RETR STOR STOU APPE ALLO REST RNFR RNTO DELE RMD MKD } \ chk_str_fmt { LIST NLST SITE SYST STAT HELP } \ chk_str_fmt { AUTH ADAT PROT PBSZ CONF ENC } \ chk_str_fmt { FEAT OPTS CEL CMD } \ chk_str_fmt { MDTM REST SIZE MLST MLSD } \ chk_str_fmt { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \ cmd_validity MODE < char ASBCZ > \ cmd_validity STRU < char FRP > \ cmd_validity ALLO < int [ char R int ] > \ cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } > \ cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \ cmd_validity PORT < host_port > # preprocessor ftp_telnet_protocol: ftp client default \ max_resp_len 256 \ bounce yes \ telnet_cmds yes Here are some examples from BASE of what is triggering the alerts... length = 6 000 : 4E 4C 53 54 0D 0A NLST.. length = 14 000 : 4F 50 54 53 20 75 74 66 38 20 6F 6E 0D 0A OPTS utf8 on.. There are also a lot of these... length = 6 000 : 53 59 53 54 0D 0A SYST.. It all looks like legit traffic. Is it chk_str_fmt that is causing these? If so why are they triggering? Thx, Wally
------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- ftp_pp: FTP malformed parameter Jason Wallace (Apr 29)
- Re: ftp_pp: FTP malformed parameter Jason Wallace (Apr 30)
- Re: ftp_pp: FTP malformed parameter Joel Esler (Apr 30)
- Re: ftp_pp: FTP malformed parameter Jason Wallace (Apr 30)