Home page logo
/

snort logo Snort mailing list archives

FW: Re: FTP / Telnet normalization and anomaly detection
From: "Frank Kirschner" <frank () celebrate de>
Date: Tue, 10 Dec 2013 10:26:10 +0100

Disabling checksum has not get a better result. 
This is the actual part of the ftp preprocessor config:
 
# FTP / Telnet normalization and anomaly detection.  For more information,
see README.ftptelnet
preprocessor ftp_telnet: global inspection_type stateful encrypted_traffic
no check_encrypted
preprocessor ftp_telnet_protocol: telnet \
    ayt_attack_thresh 20 \
    normalize ports { 23 } \
    detect_anomalies
preprocessor ftp_telnet_protocol: ftp server default \
    def_max_param_len 100 \
    ports { 21 2100 3535 } \
    telnet_cmds yes \
    ignore_telnet_erase_cmds yes \
    ftp_cmds { ABOR ACCT ADAT ALLO APPE AUTH CCC CDUP } \
    ftp_cmds { CEL CLNT CMD CONF CWD DELE ENC EPRT } \
    ftp_cmds { EPSV ESTA ESTP FEAT HELP LANG LIST LPRT } \
    ftp_cmds { LPSV MACB MAIL MDTM MIC MKD MLSD MLST } \
    ftp_cmds { MODE NLST NOOP OPTS PASS PASV PBSZ PORT } \
    ftp_cmds { PROT PWD QUIT REIN REST RETR RMD RNFR } \
    ftp_cmds { RNTO SDUP SITE SIZE SMNT STAT STOR STOU } \
    ftp_cmds { STRU SYST TEST TYPE USER XCUP XCRC XCWD } \
    ftp_cmds { XMAS XMD5 XMKD XPWD XRCP XRMD XRSQ XSEM } \
    ftp_cmds { XSEN XSHA1 XSHA256 MFMT } \
    alt_max_param_len 0 { ABOR CCC CDUP ESTA FEAT LPSV NOOP PASV PWD QUIT
REIN STOU SYST XCUP XPWD } \
    alt_max_param_len 512 { ALLO APPE CMD HELP NLST RETR RNFR STOR STOU XMKD
SIZE MFMT } \
    alt_max_param_len 256 { CWD RNTO } \
    alt_max_param_len 400 { PORT } \
    # alt_max_param_len 512 { SIZE } \
    chk_str_fmt { ACCT ADAT ALLO APPE AUTH CEL CLNT CMD } \
    chk_str_fmt { CONF CWD DELE ENC EPRT EPSV ESTP HELP } \
    chk_str_fmt { LANG LIST LPRT MACB MAIL MDTM MIC MKD } \
    chk_str_fmt { MLSD MLST MODE NLST OPTS PASS PBSZ PORT } \
    chk_str_fmt { PROT REST RETR RMD RNFR RNTO SDUP SITE } \
    chk_str_fmt { SIZE SMNT STAT STOR STRU TEST TYPE USER } \
    chk_str_fmt { XCRC XCWD XMAS XMD5 XMKD XRCP XRMD XRSQ } \ 
    chk_str_fmt { XSEM XSEN XSHA1 XSHA256 MFMT } \
    cmd_validity ALLO < int [ char R int ] > \    
    cmd_validity EPSV < [ { char 12 | char A char L char L } ] > \
    cmd_validity MACB < string > \
    cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
    cmd_validity MODE < char ASBCZ > \
    cmd_validity PORT < host_port > \
    cmd_validity PROT < char CSEP > \
    cmd_validity STRU < char FRPO [ string ] > \    
    cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ]
} >
preprocessor ftp_telnet_protocol: ftp client default \
    max_resp_len 256 \
    bounce yes \
    ignore_telnet_erase_cmds yes \
    telnet_cmds yes
 
# End FTP / Telnet normalization and anomaly detection. 
#################################################################
 
 
Here is the capturing of the FTP session:
 
 
 
 
No.     Time        Source                Destination           Protocol
Length Info
      5 137.072632  175.182.0.xxx         94.100.75.xxx          TCP      74
36026 > ftp [SYN] Seq=0 Win=5840 Len=0 MSS=1452 SACK_PERM=1 TSval=1340177711
TSecr=0 WS=128
 
Frame 5: 74 bytes on wire (592 bits), 74 bytes captured (592 bits)
Ethernet II, Src: Cisco_c4:84:1a (00:30:a3:c4:84:1a), Dst: IntelCor_0d:a5:db
(a0:36:9f:0d:a5:db)
Internet Protocol Version 4, Src: 175.182.0.xxx (175.182.0.xxx), Dst:
94.100.75.xxx (94.100.75.xxx)
Transmission Control Protocol, Src Port: 36026 (36026), Dst Port: ftp (21),
Seq: 0, Len: 0
 
No.     Time        Source                Destination           Protocol
Length Info
      6 137.073059  94.100.75.xxx          175.182.0.xxx         TCP      74
ftp > 36026 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1460 SACK_PERM=1
TSval=3412029235 TSecr=1340177711 WS=128
 
Frame 6: 74 bytes on wire (592 bits), 74 bytes captured (592 bits)
Ethernet II, Src: IntelCor_0d:a5:db (a0:36:9f:0d:a5:db), Dst: Cisco_c4:84:1a
(00:30:a3:c4:84:1a)
Internet Protocol Version 4, Src: 94.100.75.xxx (94.100.75.xxx), Dst:
175.182.0.xxx (175.182.0.xxx)
Transmission Control Protocol, Src Port: ftp (21), Dst Port: 36026 (36026),
Seq: 0, Ack: 1, Len: 0
 
No.     Time        Source                Destination           Protocol
Length Info
      7 137.383320  175.182.0.xxx         94.100.75.xxx          TCP      66
36026 > ftp [ACK] Seq=1 Ack=1 Win=5888 Len=0 TSval=1340177742
TSecr=3412029235
 
Frame 7: 66 bytes on wire (528 bits), 66 bytes captured (528 bits)
Ethernet II, Src: Cisco_c4:84:1a (00:30:a3:c4:84:1a), Dst: IntelCor_0d:a5:db
(a0:36:9f:0d:a5:db)
Internet Protocol Version 4, Src: 175.182.0.xxx (175.182.0.xxx), Dst:
94.100.75.xxx (94.100.75.xxx)
Transmission Control Protocol, Src Port: 36026 (36026), Dst Port: ftp (21),
Seq: 1, Ack: 1, Len: 0
 
No.     Time        Source                Destination           Protocol
Length Info
      8 137.384867  94.100.75.xxx          175.182.0.xxx         FTP      97
Response: 220 FTP Media Server 2 ready.
 
Frame 8: 97 bytes on wire (776 bits), 97 bytes captured (776 bits)
Ethernet II, Src: IntelCor_0d:a5:db (a0:36:9f:0d:a5:db), Dst: Cisco_c4:84:1a
(00:30:a3:c4:84:1a)
Internet Protocol Version 4, Src: 94.100.75.xxx (94.100.75.xxx), Dst:
175.182.0.xxx (175.182.0.xxx)
Transmission Control Protocol, Src Port: ftp (21), Dst Port: 36026 (36026),
Seq: 1, Ack: 1, Len: 31
File Transfer Protocol (FTP)
    220 FTP Media Server 2 ready.\r\n
        Response code: Service ready for new user (220)
        Response arg: FTP Media Server 2 ready.
 
No.     Time        Source                Destination           Protocol
Length Info
      9 137.695631  175.182.0.xxx         94.100.75.xxx          TCP      66
36026 > ftp [ACK] Seq=1 Ack=32 Win=5888 Len=0 TSval=1340177773
TSecr=3412029547
 
Frame 9: 66 bytes on wire (528 bits), 66 bytes captured (528 bits)
Ethernet II, Src: Cisco_c4:84:1a (00:30:a3:c4:84:1a), Dst: IntelCor_0d:a5:db
(a0:36:9f:0d:a5:db)
Internet Protocol Version 4, Src: 175.182.0.xxx (175.182.0.xxx), Dst:
94.100.75.xxx (94.100.75.xxx)
Transmission Control Protocol, Src Port: 36026 (36026), Dst Port: ftp (21),
Seq: 1, Ack: 32, Len: 0
 
No.     Time        Source                Destination           Protocol
Length Info
     10 137.695755  175.182.0.xxx         94.100.75.xxx          FTP      72
Request: FEAT
 
Frame 10: 72 bytes on wire (576 bits), 72 bytes captured (576 bits)
Ethernet II, Src: Cisco_c4:84:1a (00:30:a3:c4:84:1a), Dst: IntelCor_0d:a5:db
(a0:36:9f:0d:a5:db)
Internet Protocol Version 4, Src: 175.182.0.xxx (175.182.0.xxx), Dst:
94.100.75.xxx (94.100.75.xxx)
Transmission Control Protocol, Src Port: 36026 (36026), Dst Port: ftp (21),
Seq: 1, Ack: 32, Len: 6
File Transfer Protocol (FTP)
    FEAT\r\n
        Request command: FEAT
 
No.     Time        Source                Destination           Protocol
Length Info
     11 137.696051  94.100.75.xxx          175.182.0.xxx         TCP      66
ftp > 36026 [ACK] Seq=32 Ack=7 Win=5888 Len=0 TSval=3412029858
TSecr=1340177773
 
Frame 11: 66 bytes on wire (528 bits), 66 bytes captured (528 bits)
Ethernet II, Src: IntelCor_0d:a5:db (a0:36:9f:0d:a5:db), Dst: Cisco_c4:84:1a
(00:30:a3:c4:84:1a)
Internet Protocol Version 4, Src: 94.100.75.xxx (94.100.75.xxx), Dst:
175.182.0.xxx (175.182.0.xxx)
Transmission Control Protocol, Src Port: ftp (21), Dst Port: 36026 (36026),
Seq: 32, Ack: 7, Len: 0
 
No.     Time        Source                Destination           Protocol
Length Info
     12 137.696172  94.100.75.xxx          175.182.0.xxx         FTP
235    Response: 211-Features:
 
Frame 12: 235 bytes on wire (1880 bits), 235 bytes captured (1880 bits)
Ethernet II, Src: IntelCor_0d:a5:db (a0:36:9f:0d:a5:db), Dst: Cisco_c4:84:1a
(00:30:a3:c4:84:1a)
Internet Protocol Version 4, Src: 94.100.75.xxx (94.100.75.xxx), Dst:
175.182.0.xxx (175.182.0.xxx)
Transmission Control Protocol, Src Port: ftp (21), Dst Port: 36026 (36026),
Seq: 32, Ack: 7, Len: 169
File Transfer Protocol (FTP)
    211-Features:\r\n
        Response code: System status, or system help reply (211)
        Response arg: Features:
     MDTM\r\n
     MFMT\r\n
     TVFS\r\n
     MFF modify;UNIX.group;UNIX.mode;\r\n
     MLST
modify*;perm*;size*;type*;unique*;UNIX.group*;UNIX.mode*;UNIX.owner*;\r\n
     REST STREAM\r\n
     SIZE\r\n
 
No.     Time        Source                Destination           Protocol
Length Info
     13 137.696181  94.100.75.xxx          175.182.0.xxx         FTP      75
Response: 211 End
 
Frame 13: 75 bytes on wire (600 bits), 75 bytes captured (600 bits)
Ethernet II, Src: IntelCor_0d:a5:db (a0:36:9f:0d:a5:db), Dst: Cisco_c4:84:1a
(00:30:a3:c4:84:1a)
Internet Protocol Version 4, Src: 94.100.75.xxx (94.100.75.xxx), Dst:
175.182.0.xxx (175.182.0.xxx)
Transmission Control Protocol, Src Port: ftp (21), Dst Port: 36026 (36026),
Seq: 201, Ack: 7, Len: 9
File Transfer Protocol (FTP)
    211 End\r\n
        Response code: System status, or system help reply (211)
        Response arg: End
 
No.     Time        Source                Destination           Protocol
Length Info
     14 138.006820  175.182.0.xxx         94.100.75.xxx          TCP      66
36026 > ftp [ACK] Seq=7 Ack=210 Win=6912 Len=0 TSval=1340177804
TSecr=3412029858
 
Frame 14: 66 bytes on wire (528 bits), 66 bytes captured (528 bits)
Ethernet II, Src: Cisco_c4:84:1a (00:30:a3:c4:84:1a), Dst: IntelCor_0d:a5:db
(a0:36:9f:0d:a5:db)
Internet Protocol Version 4, Src: 175.182.0.xxx (175.182.0.xxx), Dst:
94.100.75.xxx (94.100.75.xxx)
Transmission Control Protocol, Src Port: 36026 (36026), Dst Port: ftp (21),
Seq: 7, Ack: 210, Len: 0
 
No.     Time        Source                Destination           Protocol
Length Info
     15 138.007442  175.182.0.xxx         94.100.75.xxx          FTP
132    Request: OPTS MLST
modify;perm;size;type;UNIX.group;UNIX.mode;UNIX.owner;
 
Frame 15: 132 bytes on wire (1056 bits), 132 bytes captured (1056 bits)
Ethernet II, Src: Cisco_c4:84:1a (00:30:a3:c4:84:1a), Dst: IntelCor_0d:a5:db
(a0:36:9f:0d:a5:db)
Internet Protocol Version 4, Src: 175.182.0.xxx (175.182.0.xxx), Dst:
94.100.75.xxx (94.100.75.xxx)
Transmission Control Protocol, Src Port: 36026 (36026), Dst Port: ftp (21),
Seq: 7, Ack: 210, Len: 66
File Transfer Protocol (FTP)
    OPTS MLST modify;perm;size;type;UNIX.group;UNIX.mode;UNIX.owner;\r\n
        Request command: OPTS
        Request arg: MLST
modify;perm;size;type;UNIX.group;UNIX.mode;UNIX.owner;
 
No.     Time        Source                Destination           Protocol
Length Info
     16 138.007990  94.100.75.xxx          175.182.0.xxx         FTP
136    Response: 200 OPTS MLST
modify;perm;size;type;UNIX.group;UNIX.mode;UNIX.owner;
 
Frame 16: 136 bytes on wire (1088 bits), 136 bytes captured (1088 bits)
Ethernet II, Src: IntelCor_0d:a5:db (a0:36:9f:0d:a5:db), Dst: Cisco_c4:84:1a
(00:30:a3:c4:84:1a)
Internet Protocol Version 4, Src: 94.100.75.xxx (94.100.75.xxx), Dst:
175.182.0.xxx (175.182.0.xxx)
Transmission Control Protocol, Src Port: ftp (21), Dst Port: 36026 (36026),
Seq: 210, Ack: 73, Len: 70
File Transfer Protocol (FTP)
    200 OPTS MLST modify;perm;size;type;UNIX.group;UNIX.mode;UNIX.owner;\r\n
        Response code: Command okay (200)
        Response arg: OPTS MLST
modify;perm;size;type;UNIX.group;UNIX.mode;UNIX.owner;
 
No.     Time        Source                Destination           Protocol
Length Info
     17 138.319004  175.182.0.xxx         94.100.75.xxx          FTP      83
Request: USER test
 
Frame 17: 83 bytes on wire (664 bits), 83 bytes captured (664 bits)
Ethernet II, Src: Cisco_c4:84:1a (00:30:a3:c4:84:1a), Dst: IntelCor_0d:a5:db
(a0:36:9f:0d:a5:db)
Internet Protocol Version 4, Src: 175.182.0.xxx (175.182.0.xxx), Dst:
94.100.75.xxx (94.100.75.xxx)
Transmission Control Protocol, Src Port: 36026 (36026), Dst Port: ftp (21),
Seq: 73, Ack: 280, Len: 17
File Transfer Protocol (FTP)
    USER test\r\n
        Request command: USER
        Request arg: test
 
No.     Time        Source                Destination           Protocol
Length Info
     18 138.319427  94.100.75.xxx          175.182.0.xxx         FTP
104    Response: 331 Password required for test
 
Frame 18: 104 bytes on wire (832 bits), 104 bytes captured (832 bits)
Ethernet II, Src: IntelCor_0d:a5:db (a0:36:9f:0d:a5:db), Dst: Cisco_c4:84:1a
(00:30:a3:c4:84:1a)
Internet Protocol Version 4, Src: 94.100.75.xxx (94.100.75.xxx), Dst:
175.182.0.xxx (175.182.0.xxx)
Transmission Control Protocol, Src Port: ftp (21), Dst Port: 36026 (36026),
Seq: 280, Ack: 90, Len: 38
File Transfer Protocol (FTP)
    331 Password required for test\r\n
        Response code: User name okay, need password (331)
        Response arg: Password required for test
 
No.     Time        Source                Destination           Protocol
Length Info
     19 138.630070  175.182.0.xxx         94.100.75.xxx          FTP      81
Request: PASS xxx_test_xxx
 
Frame 19: 81 bytes on wire (648 bits), 81 bytes captured (648 bits)
Ethernet II, Src: Cisco_c4:84:1a (00:30:a3:c4:84:1a), Dst: IntelCor_0d:a5:db
(a0:36:9f:0d:a5:db)
Internet Protocol Version 4, Src: 175.182.0.xxx (175.182.0.xxx), Dst:
94.100.75.xxx (94.100.75.xxx)
Transmission Control Protocol, Src Port: 36026 (36026), Dst Port: ftp (21),
Seq: 90, Ack: 318, Len: 15
File Transfer Protocol (FTP)
    PASS xxx_test_xxx\r\n
        Request command: PASS
        Request arg: xxx_test_xxx
 
No.     Time        Source                Destination           Protocol
Length Info
     20 138.641482  94.100.75.xxx          175.182.0.xxx         FTP      98
Response: 230 User test logged in.
 
Frame 20: 98 bytes on wire (784 bits), 98 bytes captured (784 bits)
Ethernet II, Src: IntelCor_0d:a5:db (a0:36:9f:0d:a5:db), Dst: Cisco_c4:84:1a
(00:30:a3:c4:84:1a)
Internet Protocol Version 4, Src: 94.100.75.xxx (94.100.75.xxx), Dst:
175.182.0.xxx (175.182.0.xxx)
Transmission Control Protocol, Src Port: ftp (21), Dst Port: 36026 (36026),
Seq: 318, Ack: 105, Len: 32
File Transfer Protocol (FTP)
    230 User test logged in.\r\n
        Response code: User logged in, proceed (230)
        Response arg: User test logged in.
 
No.     Time        Source                Destination           Protocol
Length Info
     21 138.952129  175.182.0.xxx         94.100.75.xxx          FTP      74
Request: TYPE I
 
Frame 21: 74 bytes on wire (592 bits), 74 bytes captured (592 bits)
Ethernet II, Src: Cisco_c4:84:1a (00:30:a3:c4:84:1a), Dst: IntelCor_0d:a5:db
(a0:36:9f:0d:a5:db)
Internet Protocol Version 4, Src: 175.182.0.xxx (175.182.0.xxx), Dst:
94.100.75.xxx (94.100.75.xxx)
Transmission Control Protocol, Src Port: 36026 (36026), Dst Port: ftp (21),
Seq: 105, Ack: 350, Len: 8
File Transfer Protocol (FTP)
    TYPE I\r\n
        Request command: TYPE
        Request arg: I
 
No.     Time        Source                Destination           Protocol
Length Info
     22 138.952675  94.100.75.xxx          175.182.0.xxx         FTP      85
Response: 200 Type set to I
 
Frame 22: 85 bytes on wire (680 bits), 85 bytes captured (680 bits)
Ethernet II, Src: IntelCor_0d:a5:db (a0:36:9f:0d:a5:db), Dst: Cisco_c4:84:1a
(00:30:a3:c4:84:1a)
Internet Protocol Version 4, Src: 94.100.75.xxx (94.100.75.xxx), Dst:
175.182.0.xxx (175.182.0.xxx)
Transmission Control Protocol, Src Port: ftp (21), Dst Port: 36026 (36026),
Seq: 350, Ack: 113, Len: 19
File Transfer Protocol (FTP)
    200 Type set to I\r\n
        Response code: Command okay (200)
        Response arg: Type set to I
 
No.     Time        Source                Destination           Protocol
Length Info
     23 139.263191  175.182.0.xxx         94.100.75.xxx          FTP      81
Request: SIZE DM03.rar
 
Frame 23: 81 bytes on wire (648 bits), 81 bytes captured (648 bits)
Ethernet II, Src: Cisco_c4:84:1a (00:30:a3:c4:84:1a), Dst: IntelCor_0d:a5:db
(a0:36:9f:0d:a5:db)
Internet Protocol Version 4, Src: 175.182.0.xxx (175.182.0.xxx), Dst:
94.100.75.xxx (94.100.75.xxx)
Transmission Control Protocol, Src Port: 36026 (36026), Dst Port: ftp (21),
Seq: 113, Ack: 369, Len: 15
File Transfer Protocol (FTP)
    SIZE DM03.rar\r\n
        Request command: SIZE
        Request arg: DM03.rar
 
No.     Time        Source                Destination           Protocol
Length Info
     24 139.263734  94.100.75.xxx          175.182.0.xxx         FTP      81
Response: 213 434155443
 
Frame 24: 81 bytes on wire (648 bits), 81 bytes captured (648 bits)
Ethernet II, Src: IntelCor_0d:a5:db (a0:36:9f:0d:a5:db), Dst: Cisco_c4:84:1a
(00:30:a3:c4:84:1a)
Internet Protocol Version 4, Src: 94.100.75.xxx (94.100.75.xxx), Dst:
175.182.0.xxx (175.182.0.xxx)
Transmission Control Protocol, Src Port: ftp (21), Dst Port: 36026 (36026),
Seq: 369, Ack: 128, Len: 15
File Transfer Protocol (FTP)
    213 434155443\r\n
        Response code: File status (213)
        Response arg: 434155443
 
No.     Time        Source                Destination           Protocol
Length Info
     25 139.574123  175.182.0.xxx         94.100.75.xxx          FTP      96
Request: MFMT 20131209101748 DM03.rar
 
Frame 25: 96 bytes on wire (768 bits), 96 bytes captured (768 bits)
Ethernet II, Src: Cisco_c4:84:1a (00:30:a3:c4:84:1a), Dst: IntelCor_0d:a5:db
(a0:36:9f:0d:a5:db)
Internet Protocol Version 4, Src: 175.182.0.xxx (175.182.0.xxx), Dst:
94.100.75.xxx (94.100.75.xxx)
Transmission Control Protocol, Src Port: 36026 (36026), Dst Port: ftp (21),
Seq: 128, Ack: 384, Len: 30
File Transfer Protocol (FTP)
    MFMT 20131209101748 DM03.rar\r\n
        Request command: MFMT
        Request arg: 20131209101748 DM03.rar
 
No.     Time        Source                Destination           Protocol
Length Info
     26 139.574542  94.100.75.xxx          175.182.0.xxx         FTP
103    Response: 213 Modify=20131209101748; DM03.rar
 
Frame 26: 103 bytes on wire (824 bits), 103 bytes captured (824 bits)
Ethernet II, Src: IntelCor_0d:a5:db (a0:36:9f:0d:a5:db), Dst: Cisco_c4:84:1a
(00:30:a3:c4:84:1a)
Internet Protocol Version 4, Src: 94.100.75.xxx (94.100.75.xxx), Dst:
175.182.0.xxx (175.182.0.xxx)
Transmission Control Protocol, Src Port: ftp (21), Dst Port: 36026 (36026),
Seq: 384, Ack: 158, Len: 37
File Transfer Protocol (FTP)
    213 Modify=20131209101748; DM03.rar\r\n
        Response code: File status (213)
        Response arg: Modify=20131209101748; DM03.rar
 
No.     Time        Source                Destination           Protocol
Length Info
     27 139.922912  175.182.0.xxx         94.100.75.xxx          TCP      66
36026 > ftp [ACK] Seq=158 Ack=421 Win=6912 Len=0 TSval=1340177996
TSecr=3412031737
 
Frame 27: 66 bytes on wire (528 bits), 66 bytes captured (528 bits)
Ethernet II, Src: Cisco_c4:84:1a (00:30:a3:c4:84:1a), Dst: IntelCor_0d:a5:db
(a0:36:9f:0d:a5:db)
Internet Protocol Version 4, Src: 175.182.0.xxx (175.182.0.xxx), Dst:
94.100.75.xxx (94.100.75.xxx)
Transmission Control Protocol, Src Port: 36026 (36026), Dst Port: ftp (21),
Seq: 158, Ack: 421, Len: 0
 
No.     Time        Source                Destination           Protocol
Length Info
     28 139.970135  175.182.0.xxx         94.100.75.xxx          FTP      72
Request: QUIT
 
Frame 28: 72 bytes on wire (576 bits), 72 bytes captured (576 bits)
Ethernet II, Src: Cisco_c4:84:1a (00:30:a3:c4:84:1a), Dst: IntelCor_0d:a5:db
(a0:36:9f:0d:a5:db)
Internet Protocol Version 4, Src: 175.182.0.xxx (175.182.0.xxx), Dst:
94.100.75.xxx (94.100.75.xxx)
Transmission Control Protocol, Src Port: 36026 (36026), Dst Port: ftp (21),
Seq: 158, Ack: 421, Len: 6
File Transfer Protocol (FTP)
    QUIT\r\n
        Request command: QUIT
 
No.     Time        Source                Destination           Protocol
Length Info
     29 139.970258  175.182.0.xxx         94.100.75.xxx          TCP      66
36026 > ftp [FIN, ACK] Seq=164 Ack=421 Win=6912 Len=0 TSval=1340178000
TSecr=3412031737
 
Frame 29: 66 bytes on wire (528 bits), 66 bytes captured (528 bits)
Ethernet II, Src: Cisco_c4:84:1a (00:30:a3:c4:84:1a), Dst: IntelCor_0d:a5:db
(a0:36:9f:0d:a5:db)
Internet Protocol Version 4, Src: 175.182.0.xxx (175.182.0.xxx), Dst:
94.100.75.xxx (94.100.75.xxx)
Transmission Control Protocol, Src Port: 36026 (36026), Dst Port: ftp (21),
Seq: 164, Ack: 421, Len: 0
 
No.     Time        Source                Destination           Protocol
Length Info
     30 139.970554  94.100.75.xxx          175.182.0.xxx         FTP      80
Response: 221 Goodbye.
 
Frame 30: 80 bytes on wire (640 bits), 80 bytes captured (640 bits)
Ethernet II, Src: IntelCor_0d:a5:db (a0:36:9f:0d:a5:db), Dst: Cisco_c4:84:1a
(00:30:a3:c4:84:1a)
Internet Protocol Version 4, Src: 94.100.75.xxx (94.100.75.xxx), Dst:
175.182.0.xxx (175.182.0.xxx)
Transmission Control Protocol, Src Port: ftp (21), Dst Port: 36026 (36026),
Seq: 421, Ack: 165, Len: 14
File Transfer Protocol (FTP)
    221 Goodbye.\r\n
        Response code: Service closing control connection (221)
        Response arg: Goodbye.
 
No.     Time        Source                Destination           Protocol
Length Info
     31 139.970675  94.100.75.xxx          175.182.0.xxx         TCP      66
ftp > 36026 [FIN, ACK] Seq=435 Ack=165 Win=5888 Len=0 TSval=3412032133
TSecr=1340178000
 
Frame 31: 66 bytes on wire (528 bits), 66 bytes captured (528 bits)
Ethernet II, Src: IntelCor_0d:a5:db (a0:36:9f:0d:a5:db), Dst: Cisco_c4:84:1a
(00:30:a3:c4:84:1a)
Internet Protocol Version 4, Src: 94.100.75.xxx (94.100.75.xxx), Dst:
175.182.0.xxx (175.182.0.xxx)
Transmission Control Protocol, Src Port: ftp (21), Dst Port: 36026 (36026),
Seq: 435, Ack: 165, Len: 0
 
No.     Time        Source                Destination           Protocol
Length Info
     32 140.280823  175.182.0.xxx         94.100.75.xxx          TCP      60
36026 > ftp [RST] Seq=165 Win=0 Len=0
 
Frame 32: 60 bytes on wire (480 bits), 60 bytes captured (480 bits)
Ethernet II, Src: Cisco_c4:84:1a (00:30:a3:c4:84:1a), Dst: IntelCor_0d:a5:db
(a0:36:9f:0d:a5:db)
Internet Protocol Version 4, Src: 175.182.0.xxx (175.182.0.xxx), Dst:
94.100.75.xxx (94.100.75.xxx)
Transmission Control Protocol, Src Port: 36026 (36026), Dst Port: ftp (21),
Seq: 165, Len: 0
 
No.     Time        Source                Destination           Protocol
Length Info
     33 140.281071  175.182.0.xxx         94.100.75.xxx          TCP      60
36026 > ftp [RST] Seq=165 Win=0 Len=0
 
Frame 33: 60 bytes on wire (480 bits), 60 bytes captured (480 bits)
Ethernet II, Src: Cisco_c4:84:1a (00:30:a3:c4:84:1a), Dst: IntelCor_0d:a5:db
(a0:36:9f:0d:a5:db)
Internet Protocol Version 4, Src: 175.182.0.xxx (175.182.0.xxx), Dst:
94.100.75.xxx (94.100.75.xxx)
Transmission Control Protocol, Src Port: 36026 (36026), Dst Port: ftp (21),
Seq: 165, Len: 0

 
 
########### END of Capture ########################
 
Why does the preprocessor not accept the MFMT command as valid?
 
best regards
Frank 

  _____  

From: Frank Kirschner [mailto:frank () celebrate de] 
Sent: Saturday, December 07, 2013 12:48 PM
To: 'Snort-users'
Subject: RE: Re: [Snort-users] FTP / Telnet normalization and anomaly
detection


Hi Rmkml,
 
thanks for this hint. Have now disables checksum and restarted snort. Will
keep the list up to date if I have new results.
 
Thanks everyone for your help,
Frank

  _____  

From: rmkml [mailto:rmkml () yahoo fr] 
Sent: Friday, December 06, 2013 6:32 PM
To: frank () celebrate de
Cc: Debieve Franck; James Lay; Snort-users
Subject: RE : Re: [Snort-users] FTP / Telnet normalization and anomaly
detection


Hi Frank, 

Maybe you have wrong cksum, could you try with disabling cksum please? ( -k
none )

Regards
@Rmkml





-------- Message d'origine --------
De : James Lay <jlay () slave-tothe-box net> 
Date : 
A : snort-users () lists sourceforge net 
Objet : Re: [Snort-users] FTP / Telnet normalization and anomaly detection 


On 2013-12-06 08:17, Frank Kirschner wrote:
Hello snort-users,

the FileZilla FTP client uses the "MFMT" command during a FTP 
session. Snort
blocks this host because "MFMT" is an unknown command.
I have add "MFMT" in my snort.conf as followed:

[redacted]

Now I have the result, some clients are blocked and some not. But 
why?

best regards
Frank

Got a pcap or a u2boat output of a unified file?

James

----------------------------------------------------------------------------
--
Sponsored by Intel(R) XDK 
Develop, test and display web and hybrid apps with a single code base.
Download it for free now!
http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort
news!

------------------------------------------------------------------------------
Sponsored by Intel(R) XDK 
Develop, test and display web and hybrid apps with a single code base.
Download it for free now!
http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

  By Date           By Thread  

Current thread:
  • FW: Re: FTP / Telnet normalization and anomaly detection Frank Kirschner (Dec 10)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault