Snort mailing list archives
Re: FTP passive data transfer FP's and flowbits
From: Kungu Panda <kungupanda () gmail com>
Date: Tue, 11 Jan 2011 17:11:53 +0000
The thrust of my original inquiry missed the mark. Trying again: The root of the problem/issue lies in the fact that FTP has a control channel (on port 21/tcp) *and* dynamic data-channels that are completely independent from the control channel. For example: 10.0.0.1:23121 <--> 172.168.1.1:21 *ftp control-channel* 10.0.0.1:23125 <--> 172.168.1.1:4561 *ftp data-channel*, entirely separate tcp flow from the control-channel* Snort, as far as I can tell, has no ability to track/associate a ftp control-channel with a ftp data-channel. This results in ftp data-channel communications being treated as completely independent tcp flows, when they are actually part of a larger ftp session being controlled by the control-channel. The dynamically-assigned high-ports used by the ftp data-channels and the binary data within the ftp data-channel transfer *constantly* false-positive trigger on snort rules. What I would very much like is the ability for snort to associate the ftp data-channels with the control-channel. Once this association has been established having the ability to leverage using a snort rule keyword or flowbit to modify the snort rule behavior so that, on a per-rule basis, rules can be set to ignore or trigger on ftp dataflows. The capability to associated ftp control-channels and ftp data-channels is widely used in firewalls. The firewall only needs a rule to permit the 21/tcp FTP control-channel and all subsequent dynamically-allocated high-port FTP data-channels are permitted. I don't have any problem with the ftp/telnet preprocessor which works just fine. Does that help clarify? K.Panda On Tue, Jan 11, 2011 at 2:48 PM, Joel Esler <jesler () sourcefire com> wrote:
Okay, so let me ask you guys. What can we do (Snort) to make it better? Joel On Mon, Jan 10, 2011 at 8:54 PM, Martin Holste <mcholste () gmail com> wrote:I've never found the alerts generated by the FTP preproc to be helpful for anything other than a heartbeat to prove Snort is up and sniffing traffic. I recently started to suppress all from that gen_id. I'm strongly considering doing the same for the SSL preproc. The amount of resources it takes to investigate each false positive is not worth the off-chance that you will be the one to discover a never-before-seen new FTP/telnet hack. On Mon, Jan 10, 2011 at 1:19 PM, Kungu Panda <kungupanda () gmail com> wrote:I am experiencing a large number of false-positive alerts generated fromftpsessions; specifically ftp data sessions tripping alerts on binary transfers. Any recommendations on associating an ftp command channel with an ftp passive data-channel which, of course, occur on ports from the command channel? Association for use with snort flowbits to identify ftpsessionsand eliminate FPs on troublesome rules. . . Thanks, K.Panda------------------------------------------------------------------------------Gaining the trust of online customers is vital for the success of any company that requires sensitive data to be transmitted over the Web. Learn howtobest implement a security strategy that keeps consumers' informationsecureand instills the confidence they need to proceed with transactions. http://p.sf.net/sfu/oracle-sfdevnl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------------ Gaining the trust of online customers is vital for the success of any company that requires sensitive data to be transmitted over the Web. Learn how to best implement a security strategy that keeps consumers' information secure and instills the confidence they need to proceed with transactions. http://p.sf.net/sfu/oracle-sfdevnl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- Joel Esler Skype:eslerjoel http://blog.snort.org
------------------------------------------------------------------------------ Protect Your Site and Customers from Malware Attacks Learn about various malware tactics and how to avoid them. Understand malware threats, the impact they can have on your business, and how you can protect your company and customers by using code signing. http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- FTP passive data transfer FP's and flowbits Kungu Panda (Jan 10)
- Re: FTP passive data transfer FP's and flowbits Martin Holste (Jan 10)
- Re: FTP passive data transfer FP's and flowbits Joel Esler (Jan 11)
- Re: FTP passive data transfer FP's and flowbits Crusty Saint (Jan 11)
- Re: FTP passive data transfer FP's and flowbits Crusty Saint (Jan 26)
- Re: FTP passive data transfer FP's and flowbits Joel Esler (Jan 26)
- Re: FTP passive data transfer FP's and flowbits Joel Esler (Jan 11)
- Re: FTP passive data transfer FP's and flowbits Kungu Panda (Jan 11)
- Re: FTP passive data transfer FP's and flowbits Jason Brvenik (Jan 11)
- Re: FTP passive data transfer FP's and flowbits Kungu Panda (Jan 11)
- Re: FTP passive data transfer FP's and flowbits Martin Holste (Jan 11)
- Re: FTP passive data transfer FP's and flowbits Jefferson, Shawn (Jan 11)
- Re: FTP passive data transfer FP's and flowbits Martin Holste (Jan 11)
- Re: FTP passive data transfer FP's and flowbits Martin Holste (Jan 10)
- Re: FTP passive data transfer FP's and flowbits CunningPike (Jan 14)