Re: FTP PrePreproc Alerts

Hi Bamm--

Its been a while since I looked at that code... Can you
provide a tcpdump/pcap that demonstrates this to make
the testing easier.

Thanks.
-steve

Bamm Visscher wrote:
> ftp_pp: FTP malformed parameter is triggering on:
> 
> DST: 250 "/bmtmicro/DLC_WEB/Picture Window (BMT Micro)/Picture Window
> Doc" is new cwd.
> DST:
> SRC: MDTM Color Management Terms.pdf
> SRC:
> DST: 213 20040622074516
> DST:
> SRC: SIZE Color Management Terms.pdf
> SRC:
> DST: 213 251003
> DST:
> 
> I am using the std config on snort-2.6.0:
> preprocessor ftp_telnet_protocol: ftp server default \
>    def_max_param_len 100 \
>    alt_max_param_len 200 { CWD } \
>    cmd_validity MODE < char ASBCZ > \
>    cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
>    chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \
>    telnet_cmds yes \
>    data_chan
> 
> 
> Looks like the format looks for an optional date followed by a string.
> Could the spaces in the filename be cause the alert to be generated?
> 
> Bammkkkk
> 
> 
> 


-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642