Snort mailing list archives
FW: Re: FTP / Telnet normalization and anomaly detection
From: "Frank Kirschner" <frank () celebrate de>
Date: Tue, 10 Dec 2013 10:26:10 +0100
Disabling checksum has not get a better result.
This is the actual part of the ftp preprocessor config:
# FTP / Telnet normalization and anomaly detection. For more information,
see README.ftptelnet
preprocessor ftp_telnet: global inspection_type stateful encrypted_traffic
no check_encrypted
preprocessor ftp_telnet_protocol: telnet \
ayt_attack_thresh 20 \
normalize ports { 23 } \
detect_anomalies
preprocessor ftp_telnet_protocol: ftp server default \
def_max_param_len 100 \
ports { 21 2100 3535 } \
telnet_cmds yes \
ignore_telnet_erase_cmds yes \
ftp_cmds { ABOR ACCT ADAT ALLO APPE AUTH CCC CDUP } \
ftp_cmds { CEL CLNT CMD CONF CWD DELE ENC EPRT } \
ftp_cmds { EPSV ESTA ESTP FEAT HELP LANG LIST LPRT } \
ftp_cmds { LPSV MACB MAIL MDTM MIC MKD MLSD MLST } \
ftp_cmds { MODE NLST NOOP OPTS PASS PASV PBSZ PORT } \
ftp_cmds { PROT PWD QUIT REIN REST RETR RMD RNFR } \
ftp_cmds { RNTO SDUP SITE SIZE SMNT STAT STOR STOU } \
ftp_cmds { STRU SYST TEST TYPE USER XCUP XCRC XCWD } \
ftp_cmds { XMAS XMD5 XMKD XPWD XRCP XRMD XRSQ XSEM } \
ftp_cmds { XSEN XSHA1 XSHA256 MFMT } \
alt_max_param_len 0 { ABOR CCC CDUP ESTA FEAT LPSV NOOP PASV PWD QUIT
REIN STOU SYST XCUP XPWD } \
alt_max_param_len 512 { ALLO APPE CMD HELP NLST RETR RNFR STOR STOU XMKD
SIZE MFMT } \
alt_max_param_len 256 { CWD RNTO } \
alt_max_param_len 400 { PORT } \
# alt_max_param_len 512 { SIZE } \
chk_str_fmt { ACCT ADAT ALLO APPE AUTH CEL CLNT CMD } \
chk_str_fmt { CONF CWD DELE ENC EPRT EPSV ESTP HELP } \
chk_str_fmt { LANG LIST LPRT MACB MAIL MDTM MIC MKD } \
chk_str_fmt { MLSD MLST MODE NLST OPTS PASS PBSZ PORT } \
chk_str_fmt { PROT REST RETR RMD RNFR RNTO SDUP SITE } \
chk_str_fmt { SIZE SMNT STAT STOR STRU TEST TYPE USER } \
chk_str_fmt { XCRC XCWD XMAS XMD5 XMKD XRCP XRMD XRSQ } \
chk_str_fmt { XSEM XSEN XSHA1 XSHA256 MFMT } \
cmd_validity ALLO < int [ char R int ] > \
cmd_validity EPSV < [ { char 12 | char A char L char L } ] > \
cmd_validity MACB < string > \
cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
cmd_validity MODE < char ASBCZ > \
cmd_validity PORT < host_port > \
cmd_validity PROT < char CSEP > \
cmd_validity STRU < char FRPO [ string ] > \
cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ]
} >
preprocessor ftp_telnet_protocol: ftp client default \
max_resp_len 256 \
bounce yes \
ignore_telnet_erase_cmds yes \
telnet_cmds yes
# End FTP / Telnet normalization and anomaly detection.
#################################################################
Here is the capturing of the FTP session:
No. Time Source Destination Protocol
Length Info
5 137.072632 175.182.0.xxx 94.100.75.xxx TCP 74
36026 > ftp [SYN] Seq=0 Win=5840 Len=0 MSS=1452 SACK_PERM=1 TSval=1340177711
TSecr=0 WS=128
Frame 5: 74 bytes on wire (592 bits), 74 bytes captured (592 bits)
Ethernet II, Src: Cisco_c4:84:1a (00:30:a3:c4:84:1a), Dst: IntelCor_0d:a5:db
(a0:36:9f:0d:a5:db)
Internet Protocol Version 4, Src: 175.182.0.xxx (175.182.0.xxx), Dst:
94.100.75.xxx (94.100.75.xxx)
Transmission Control Protocol, Src Port: 36026 (36026), Dst Port: ftp (21),
Seq: 0, Len: 0
No. Time Source Destination Protocol
Length Info
6 137.073059 94.100.75.xxx 175.182.0.xxx TCP 74
ftp > 36026 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1460 SACK_PERM=1
TSval=3412029235 TSecr=1340177711 WS=128
Frame 6: 74 bytes on wire (592 bits), 74 bytes captured (592 bits)
Ethernet II, Src: IntelCor_0d:a5:db (a0:36:9f:0d:a5:db), Dst: Cisco_c4:84:1a
(00:30:a3:c4:84:1a)
Internet Protocol Version 4, Src: 94.100.75.xxx (94.100.75.xxx), Dst:
175.182.0.xxx (175.182.0.xxx)
Transmission Control Protocol, Src Port: ftp (21), Dst Port: 36026 (36026),
Seq: 0, Ack: 1, Len: 0
No. Time Source Destination Protocol
Length Info
7 137.383320 175.182.0.xxx 94.100.75.xxx TCP 66
36026 > ftp [ACK] Seq=1 Ack=1 Win=5888 Len=0 TSval=1340177742
TSecr=3412029235
Frame 7: 66 bytes on wire (528 bits), 66 bytes captured (528 bits)
Ethernet II, Src: Cisco_c4:84:1a (00:30:a3:c4:84:1a), Dst: IntelCor_0d:a5:db
(a0:36:9f:0d:a5:db)
Internet Protocol Version 4, Src: 175.182.0.xxx (175.182.0.xxx), Dst:
94.100.75.xxx (94.100.75.xxx)
Transmission Control Protocol, Src Port: 36026 (36026), Dst Port: ftp (21),
Seq: 1, Ack: 1, Len: 0
No. Time Source Destination Protocol
Length Info
8 137.384867 94.100.75.xxx 175.182.0.xxx FTP 97
Response: 220 FTP Media Server 2 ready.
Frame 8: 97 bytes on wire (776 bits), 97 bytes captured (776 bits)
Ethernet II, Src: IntelCor_0d:a5:db (a0:36:9f:0d:a5:db), Dst: Cisco_c4:84:1a
(00:30:a3:c4:84:1a)
Internet Protocol Version 4, Src: 94.100.75.xxx (94.100.75.xxx), Dst:
175.182.0.xxx (175.182.0.xxx)
Transmission Control Protocol, Src Port: ftp (21), Dst Port: 36026 (36026),
Seq: 1, Ack: 1, Len: 31
File Transfer Protocol (FTP)
220 FTP Media Server 2 ready.\r\n
Response code: Service ready for new user (220)
Response arg: FTP Media Server 2 ready.
No. Time Source Destination Protocol
Length Info
9 137.695631 175.182.0.xxx 94.100.75.xxx TCP 66
36026 > ftp [ACK] Seq=1 Ack=32 Win=5888 Len=0 TSval=1340177773
TSecr=3412029547
Frame 9: 66 bytes on wire (528 bits), 66 bytes captured (528 bits)
Ethernet II, Src: Cisco_c4:84:1a (00:30:a3:c4:84:1a), Dst: IntelCor_0d:a5:db
(a0:36:9f:0d:a5:db)
Internet Protocol Version 4, Src: 175.182.0.xxx (175.182.0.xxx), Dst:
94.100.75.xxx (94.100.75.xxx)
Transmission Control Protocol, Src Port: 36026 (36026), Dst Port: ftp (21),
Seq: 1, Ack: 32, Len: 0
No. Time Source Destination Protocol
Length Info
10 137.695755 175.182.0.xxx 94.100.75.xxx FTP 72
Request: FEAT
Frame 10: 72 bytes on wire (576 bits), 72 bytes captured (576 bits)
Ethernet II, Src: Cisco_c4:84:1a (00:30:a3:c4:84:1a), Dst: IntelCor_0d:a5:db
(a0:36:9f:0d:a5:db)
Internet Protocol Version 4, Src: 175.182.0.xxx (175.182.0.xxx), Dst:
94.100.75.xxx (94.100.75.xxx)
Transmission Control Protocol, Src Port: 36026 (36026), Dst Port: ftp (21),
Seq: 1, Ack: 32, Len: 6
File Transfer Protocol (FTP)
FEAT\r\n
Request command: FEAT
No. Time Source Destination Protocol
Length Info
11 137.696051 94.100.75.xxx 175.182.0.xxx TCP 66
ftp > 36026 [ACK] Seq=32 Ack=7 Win=5888 Len=0 TSval=3412029858
TSecr=1340177773
Frame 11: 66 bytes on wire (528 bits), 66 bytes captured (528 bits)
Ethernet II, Src: IntelCor_0d:a5:db (a0:36:9f:0d:a5:db), Dst: Cisco_c4:84:1a
(00:30:a3:c4:84:1a)
Internet Protocol Version 4, Src: 94.100.75.xxx (94.100.75.xxx), Dst:
175.182.0.xxx (175.182.0.xxx)
Transmission Control Protocol, Src Port: ftp (21), Dst Port: 36026 (36026),
Seq: 32, Ack: 7, Len: 0
No. Time Source Destination Protocol
Length Info
12 137.696172 94.100.75.xxx 175.182.0.xxx FTP
235 Response: 211-Features:
Frame 12: 235 bytes on wire (1880 bits), 235 bytes captured (1880 bits)
Ethernet II, Src: IntelCor_0d:a5:db (a0:36:9f:0d:a5:db), Dst: Cisco_c4:84:1a
(00:30:a3:c4:84:1a)
Internet Protocol Version 4, Src: 94.100.75.xxx (94.100.75.xxx), Dst:
175.182.0.xxx (175.182.0.xxx)
Transmission Control Protocol, Src Port: ftp (21), Dst Port: 36026 (36026),
Seq: 32, Ack: 7, Len: 169
File Transfer Protocol (FTP)
211-Features:\r\n
Response code: System status, or system help reply (211)
Response arg: Features:
MDTM\r\n
MFMT\r\n
TVFS\r\n
MFF modify;UNIX.group;UNIX.mode;\r\n
MLST
modify*;perm*;size*;type*;unique*;UNIX.group*;UNIX.mode*;UNIX.owner*;\r\n
REST STREAM\r\n
SIZE\r\n
No. Time Source Destination Protocol
Length Info
13 137.696181 94.100.75.xxx 175.182.0.xxx FTP 75
Response: 211 End
Frame 13: 75 bytes on wire (600 bits), 75 bytes captured (600 bits)
Ethernet II, Src: IntelCor_0d:a5:db (a0:36:9f:0d:a5:db), Dst: Cisco_c4:84:1a
(00:30:a3:c4:84:1a)
Internet Protocol Version 4, Src: 94.100.75.xxx (94.100.75.xxx), Dst:
175.182.0.xxx (175.182.0.xxx)
Transmission Control Protocol, Src Port: ftp (21), Dst Port: 36026 (36026),
Seq: 201, Ack: 7, Len: 9
File Transfer Protocol (FTP)
211 End\r\n
Response code: System status, or system help reply (211)
Response arg: End
No. Time Source Destination Protocol
Length Info
14 138.006820 175.182.0.xxx 94.100.75.xxx TCP 66
36026 > ftp [ACK] Seq=7 Ack=210 Win=6912 Len=0 TSval=1340177804
TSecr=3412029858
Frame 14: 66 bytes on wire (528 bits), 66 bytes captured (528 bits)
Ethernet II, Src: Cisco_c4:84:1a (00:30:a3:c4:84:1a), Dst: IntelCor_0d:a5:db
(a0:36:9f:0d:a5:db)
Internet Protocol Version 4, Src: 175.182.0.xxx (175.182.0.xxx), Dst:
94.100.75.xxx (94.100.75.xxx)
Transmission Control Protocol, Src Port: 36026 (36026), Dst Port: ftp (21),
Seq: 7, Ack: 210, Len: 0
No. Time Source Destination Protocol
Length Info
15 138.007442 175.182.0.xxx 94.100.75.xxx FTP
132 Request: OPTS MLST
modify;perm;size;type;UNIX.group;UNIX.mode;UNIX.owner;
Frame 15: 132 bytes on wire (1056 bits), 132 bytes captured (1056 bits)
Ethernet II, Src: Cisco_c4:84:1a (00:30:a3:c4:84:1a), Dst: IntelCor_0d:a5:db
(a0:36:9f:0d:a5:db)
Internet Protocol Version 4, Src: 175.182.0.xxx (175.182.0.xxx), Dst:
94.100.75.xxx (94.100.75.xxx)
Transmission Control Protocol, Src Port: 36026 (36026), Dst Port: ftp (21),
Seq: 7, Ack: 210, Len: 66
File Transfer Protocol (FTP)
OPTS MLST modify;perm;size;type;UNIX.group;UNIX.mode;UNIX.owner;\r\n
Request command: OPTS
Request arg: MLST
modify;perm;size;type;UNIX.group;UNIX.mode;UNIX.owner;
No. Time Source Destination Protocol
Length Info
16 138.007990 94.100.75.xxx 175.182.0.xxx FTP
136 Response: 200 OPTS MLST
modify;perm;size;type;UNIX.group;UNIX.mode;UNIX.owner;
Frame 16: 136 bytes on wire (1088 bits), 136 bytes captured (1088 bits)
Ethernet II, Src: IntelCor_0d:a5:db (a0:36:9f:0d:a5:db), Dst: Cisco_c4:84:1a
(00:30:a3:c4:84:1a)
Internet Protocol Version 4, Src: 94.100.75.xxx (94.100.75.xxx), Dst:
175.182.0.xxx (175.182.0.xxx)
Transmission Control Protocol, Src Port: ftp (21), Dst Port: 36026 (36026),
Seq: 210, Ack: 73, Len: 70
File Transfer Protocol (FTP)
200 OPTS MLST modify;perm;size;type;UNIX.group;UNIX.mode;UNIX.owner;\r\n
Response code: Command okay (200)
Response arg: OPTS MLST
modify;perm;size;type;UNIX.group;UNIX.mode;UNIX.owner;
No. Time Source Destination Protocol
Length Info
17 138.319004 175.182.0.xxx 94.100.75.xxx FTP 83
Request: USER test
Frame 17: 83 bytes on wire (664 bits), 83 bytes captured (664 bits)
Ethernet II, Src: Cisco_c4:84:1a (00:30:a3:c4:84:1a), Dst: IntelCor_0d:a5:db
(a0:36:9f:0d:a5:db)
Internet Protocol Version 4, Src: 175.182.0.xxx (175.182.0.xxx), Dst:
94.100.75.xxx (94.100.75.xxx)
Transmission Control Protocol, Src Port: 36026 (36026), Dst Port: ftp (21),
Seq: 73, Ack: 280, Len: 17
File Transfer Protocol (FTP)
USER test\r\n
Request command: USER
Request arg: test
No. Time Source Destination Protocol
Length Info
18 138.319427 94.100.75.xxx 175.182.0.xxx FTP
104 Response: 331 Password required for test
Frame 18: 104 bytes on wire (832 bits), 104 bytes captured (832 bits)
Ethernet II, Src: IntelCor_0d:a5:db (a0:36:9f:0d:a5:db), Dst: Cisco_c4:84:1a
(00:30:a3:c4:84:1a)
Internet Protocol Version 4, Src: 94.100.75.xxx (94.100.75.xxx), Dst:
175.182.0.xxx (175.182.0.xxx)
Transmission Control Protocol, Src Port: ftp (21), Dst Port: 36026 (36026),
Seq: 280, Ack: 90, Len: 38
File Transfer Protocol (FTP)
331 Password required for test\r\n
Response code: User name okay, need password (331)
Response arg: Password required for test
No. Time Source Destination Protocol
Length Info
19 138.630070 175.182.0.xxx 94.100.75.xxx FTP 81
Request: PASS xxx_test_xxx
Frame 19: 81 bytes on wire (648 bits), 81 bytes captured (648 bits)
Ethernet II, Src: Cisco_c4:84:1a (00:30:a3:c4:84:1a), Dst: IntelCor_0d:a5:db
(a0:36:9f:0d:a5:db)
Internet Protocol Version 4, Src: 175.182.0.xxx (175.182.0.xxx), Dst:
94.100.75.xxx (94.100.75.xxx)
Transmission Control Protocol, Src Port: 36026 (36026), Dst Port: ftp (21),
Seq: 90, Ack: 318, Len: 15
File Transfer Protocol (FTP)
PASS xxx_test_xxx\r\n
Request command: PASS
Request arg: xxx_test_xxx
No. Time Source Destination Protocol
Length Info
20 138.641482 94.100.75.xxx 175.182.0.xxx FTP 98
Response: 230 User test logged in.
Frame 20: 98 bytes on wire (784 bits), 98 bytes captured (784 bits)
Ethernet II, Src: IntelCor_0d:a5:db (a0:36:9f:0d:a5:db), Dst: Cisco_c4:84:1a
(00:30:a3:c4:84:1a)
Internet Protocol Version 4, Src: 94.100.75.xxx (94.100.75.xxx), Dst:
175.182.0.xxx (175.182.0.xxx)
Transmission Control Protocol, Src Port: ftp (21), Dst Port: 36026 (36026),
Seq: 318, Ack: 105, Len: 32
File Transfer Protocol (FTP)
230 User test logged in.\r\n
Response code: User logged in, proceed (230)
Response arg: User test logged in.
No. Time Source Destination Protocol
Length Info
21 138.952129 175.182.0.xxx 94.100.75.xxx FTP 74
Request: TYPE I
Frame 21: 74 bytes on wire (592 bits), 74 bytes captured (592 bits)
Ethernet II, Src: Cisco_c4:84:1a (00:30:a3:c4:84:1a), Dst: IntelCor_0d:a5:db
(a0:36:9f:0d:a5:db)
Internet Protocol Version 4, Src: 175.182.0.xxx (175.182.0.xxx), Dst:
94.100.75.xxx (94.100.75.xxx)
Transmission Control Protocol, Src Port: 36026 (36026), Dst Port: ftp (21),
Seq: 105, Ack: 350, Len: 8
File Transfer Protocol (FTP)
TYPE I\r\n
Request command: TYPE
Request arg: I
No. Time Source Destination Protocol
Length Info
22 138.952675 94.100.75.xxx 175.182.0.xxx FTP 85
Response: 200 Type set to I
Frame 22: 85 bytes on wire (680 bits), 85 bytes captured (680 bits)
Ethernet II, Src: IntelCor_0d:a5:db (a0:36:9f:0d:a5:db), Dst: Cisco_c4:84:1a
(00:30:a3:c4:84:1a)
Internet Protocol Version 4, Src: 94.100.75.xxx (94.100.75.xxx), Dst:
175.182.0.xxx (175.182.0.xxx)
Transmission Control Protocol, Src Port: ftp (21), Dst Port: 36026 (36026),
Seq: 350, Ack: 113, Len: 19
File Transfer Protocol (FTP)
200 Type set to I\r\n
Response code: Command okay (200)
Response arg: Type set to I
No. Time Source Destination Protocol
Length Info
23 139.263191 175.182.0.xxx 94.100.75.xxx FTP 81
Request: SIZE DM03.rar
Frame 23: 81 bytes on wire (648 bits), 81 bytes captured (648 bits)
Ethernet II, Src: Cisco_c4:84:1a (00:30:a3:c4:84:1a), Dst: IntelCor_0d:a5:db
(a0:36:9f:0d:a5:db)
Internet Protocol Version 4, Src: 175.182.0.xxx (175.182.0.xxx), Dst:
94.100.75.xxx (94.100.75.xxx)
Transmission Control Protocol, Src Port: 36026 (36026), Dst Port: ftp (21),
Seq: 113, Ack: 369, Len: 15
File Transfer Protocol (FTP)
SIZE DM03.rar\r\n
Request command: SIZE
Request arg: DM03.rar
No. Time Source Destination Protocol
Length Info
24 139.263734 94.100.75.xxx 175.182.0.xxx FTP 81
Response: 213 434155443
Frame 24: 81 bytes on wire (648 bits), 81 bytes captured (648 bits)
Ethernet II, Src: IntelCor_0d:a5:db (a0:36:9f:0d:a5:db), Dst: Cisco_c4:84:1a
(00:30:a3:c4:84:1a)
Internet Protocol Version 4, Src: 94.100.75.xxx (94.100.75.xxx), Dst:
175.182.0.xxx (175.182.0.xxx)
Transmission Control Protocol, Src Port: ftp (21), Dst Port: 36026 (36026),
Seq: 369, Ack: 128, Len: 15
File Transfer Protocol (FTP)
213 434155443\r\n
Response code: File status (213)
Response arg: 434155443
No. Time Source Destination Protocol
Length Info
25 139.574123 175.182.0.xxx 94.100.75.xxx FTP 96
Request: MFMT 20131209101748 DM03.rar
Frame 25: 96 bytes on wire (768 bits), 96 bytes captured (768 bits)
Ethernet II, Src: Cisco_c4:84:1a (00:30:a3:c4:84:1a), Dst: IntelCor_0d:a5:db
(a0:36:9f:0d:a5:db)
Internet Protocol Version 4, Src: 175.182.0.xxx (175.182.0.xxx), Dst:
94.100.75.xxx (94.100.75.xxx)
Transmission Control Protocol, Src Port: 36026 (36026), Dst Port: ftp (21),
Seq: 128, Ack: 384, Len: 30
File Transfer Protocol (FTP)
MFMT 20131209101748 DM03.rar\r\n
Request command: MFMT
Request arg: 20131209101748 DM03.rar
No. Time Source Destination Protocol
Length Info
26 139.574542 94.100.75.xxx 175.182.0.xxx FTP
103 Response: 213 Modify=20131209101748; DM03.rar
Frame 26: 103 bytes on wire (824 bits), 103 bytes captured (824 bits)
Ethernet II, Src: IntelCor_0d:a5:db (a0:36:9f:0d:a5:db), Dst: Cisco_c4:84:1a
(00:30:a3:c4:84:1a)
Internet Protocol Version 4, Src: 94.100.75.xxx (94.100.75.xxx), Dst:
175.182.0.xxx (175.182.0.xxx)
Transmission Control Protocol, Src Port: ftp (21), Dst Port: 36026 (36026),
Seq: 384, Ack: 158, Len: 37
File Transfer Protocol (FTP)
213 Modify=20131209101748; DM03.rar\r\n
Response code: File status (213)
Response arg: Modify=20131209101748; DM03.rar
No. Time Source Destination Protocol
Length Info
27 139.922912 175.182.0.xxx 94.100.75.xxx TCP 66
36026 > ftp [ACK] Seq=158 Ack=421 Win=6912 Len=0 TSval=1340177996
TSecr=3412031737
Frame 27: 66 bytes on wire (528 bits), 66 bytes captured (528 bits)
Ethernet II, Src: Cisco_c4:84:1a (00:30:a3:c4:84:1a), Dst: IntelCor_0d:a5:db
(a0:36:9f:0d:a5:db)
Internet Protocol Version 4, Src: 175.182.0.xxx (175.182.0.xxx), Dst:
94.100.75.xxx (94.100.75.xxx)
Transmission Control Protocol, Src Port: 36026 (36026), Dst Port: ftp (21),
Seq: 158, Ack: 421, Len: 0
No. Time Source Destination Protocol
Length Info
28 139.970135 175.182.0.xxx 94.100.75.xxx FTP 72
Request: QUIT
Frame 28: 72 bytes on wire (576 bits), 72 bytes captured (576 bits)
Ethernet II, Src: Cisco_c4:84:1a (00:30:a3:c4:84:1a), Dst: IntelCor_0d:a5:db
(a0:36:9f:0d:a5:db)
Internet Protocol Version 4, Src: 175.182.0.xxx (175.182.0.xxx), Dst:
94.100.75.xxx (94.100.75.xxx)
Transmission Control Protocol, Src Port: 36026 (36026), Dst Port: ftp (21),
Seq: 158, Ack: 421, Len: 6
File Transfer Protocol (FTP)
QUIT\r\n
Request command: QUIT
No. Time Source Destination Protocol
Length Info
29 139.970258 175.182.0.xxx 94.100.75.xxx TCP 66
36026 > ftp [FIN, ACK] Seq=164 Ack=421 Win=6912 Len=0 TSval=1340178000
TSecr=3412031737
Frame 29: 66 bytes on wire (528 bits), 66 bytes captured (528 bits)
Ethernet II, Src: Cisco_c4:84:1a (00:30:a3:c4:84:1a), Dst: IntelCor_0d:a5:db
(a0:36:9f:0d:a5:db)
Internet Protocol Version 4, Src: 175.182.0.xxx (175.182.0.xxx), Dst:
94.100.75.xxx (94.100.75.xxx)
Transmission Control Protocol, Src Port: 36026 (36026), Dst Port: ftp (21),
Seq: 164, Ack: 421, Len: 0
No. Time Source Destination Protocol
Length Info
30 139.970554 94.100.75.xxx 175.182.0.xxx FTP 80
Response: 221 Goodbye.
Frame 30: 80 bytes on wire (640 bits), 80 bytes captured (640 bits)
Ethernet II, Src: IntelCor_0d:a5:db (a0:36:9f:0d:a5:db), Dst: Cisco_c4:84:1a
(00:30:a3:c4:84:1a)
Internet Protocol Version 4, Src: 94.100.75.xxx (94.100.75.xxx), Dst:
175.182.0.xxx (175.182.0.xxx)
Transmission Control Protocol, Src Port: ftp (21), Dst Port: 36026 (36026),
Seq: 421, Ack: 165, Len: 14
File Transfer Protocol (FTP)
221 Goodbye.\r\n
Response code: Service closing control connection (221)
Response arg: Goodbye.
No. Time Source Destination Protocol
Length Info
31 139.970675 94.100.75.xxx 175.182.0.xxx TCP 66
ftp > 36026 [FIN, ACK] Seq=435 Ack=165 Win=5888 Len=0 TSval=3412032133
TSecr=1340178000
Frame 31: 66 bytes on wire (528 bits), 66 bytes captured (528 bits)
Ethernet II, Src: IntelCor_0d:a5:db (a0:36:9f:0d:a5:db), Dst: Cisco_c4:84:1a
(00:30:a3:c4:84:1a)
Internet Protocol Version 4, Src: 94.100.75.xxx (94.100.75.xxx), Dst:
175.182.0.xxx (175.182.0.xxx)
Transmission Control Protocol, Src Port: ftp (21), Dst Port: 36026 (36026),
Seq: 435, Ack: 165, Len: 0
No. Time Source Destination Protocol
Length Info
32 140.280823 175.182.0.xxx 94.100.75.xxx TCP 60
36026 > ftp [RST] Seq=165 Win=0 Len=0
Frame 32: 60 bytes on wire (480 bits), 60 bytes captured (480 bits)
Ethernet II, Src: Cisco_c4:84:1a (00:30:a3:c4:84:1a), Dst: IntelCor_0d:a5:db
(a0:36:9f:0d:a5:db)
Internet Protocol Version 4, Src: 175.182.0.xxx (175.182.0.xxx), Dst:
94.100.75.xxx (94.100.75.xxx)
Transmission Control Protocol, Src Port: 36026 (36026), Dst Port: ftp (21),
Seq: 165, Len: 0
No. Time Source Destination Protocol
Length Info
33 140.281071 175.182.0.xxx 94.100.75.xxx TCP 60
36026 > ftp [RST] Seq=165 Win=0 Len=0
Frame 33: 60 bytes on wire (480 bits), 60 bytes captured (480 bits)
Ethernet II, Src: Cisco_c4:84:1a (00:30:a3:c4:84:1a), Dst: IntelCor_0d:a5:db
(a0:36:9f:0d:a5:db)
Internet Protocol Version 4, Src: 175.182.0.xxx (175.182.0.xxx), Dst:
94.100.75.xxx (94.100.75.xxx)
Transmission Control Protocol, Src Port: 36026 (36026), Dst Port: ftp (21),
Seq: 165, Len: 0
########### END of Capture ########################
Why does the preprocessor not accept the MFMT command as valid?
best regards
Frank
_____
From: Frank Kirschner [mailto:frank () celebrate de]
Sent: Saturday, December 07, 2013 12:48 PM
To: 'Snort-users'
Subject: RE: Re: [Snort-users] FTP / Telnet normalization and anomaly
detection
Hi Rmkml,
thanks for this hint. Have now disables checksum and restarted snort. Will
keep the list up to date if I have new results.
Thanks everyone for your help,
Frank
_____
From: rmkml [mailto:rmkml () yahoo fr]
Sent: Friday, December 06, 2013 6:32 PM
To: frank () celebrate de
Cc: Debieve Franck; James Lay; Snort-users
Subject: RE : Re: [Snort-users] FTP / Telnet normalization and anomaly
detection
Hi Frank,
Maybe you have wrong cksum, could you try with disabling cksum please? ( -k
none )
Regards
@Rmkml
-------- Message d'origine --------
De : James Lay <jlay () slave-tothe-box net>
Date :
A : snort-users () lists sourceforge net
Objet : Re: [Snort-users] FTP / Telnet normalization and anomaly detection
On 2013-12-06 08:17, Frank Kirschner wrote:
Hello snort-users, the FileZilla FTP client uses the "MFMT" command during a FTP session. Snort blocks this host because "MFMT" is an unknown command. I have add "MFMT" in my snort.conf as followed:
[redacted]
Now I have the result, some clients are blocked and some not. But why? best regards Frank
Got a pcap or a u2boat output of a unified file? James ---------------------------------------------------------------------------- -- Sponsored by Intel(R) XDK Develop, test and display web and hybrid apps with a single code base. Download it for free now! http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Sponsored by Intel(R) XDK Develop, test and display web and hybrid apps with a single code base. Download it for free now! http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- FW: Re: FTP / Telnet normalization and anomaly detection Frank Kirschner (Dec 10)