Ftp server behind PFSense1.2.2 and Snort
-
I did it that way as it was the only way that got incoming ftp to proftpd working. Please let me know if you find another way.
-
now I have my Coppermine album online, If interested in aviation check out http://mohman.homeip.net
Also my ftp server is online, but snort is still blocking connections. -
Since there have been alot of activity in the forum lately aroun snort, i thought that I should pick up this thread again! =)
I still have problems with ftp creating alerts, even though I have whitelisted all the ip´s triggering the ftp helper. I also have disabled the ftp rule category. I have tried to add some commands to snort.inc but, no difference. Any ideas?
I´m running pfsense 1.2.2 and snort 2.8.4
Last 100 Snort Alert entries
06/10-09:20:02.147179 [ ** ] [ 125:4:1 ] (ftp_telnet) FTP command parameters were malformed [ ** ] [ Priority: 3 ] {TCP} xxxxxxx:59636 -> xxxxxxxxx:2106/10-09:20:02.521083 [ ** ] [ 125:2:1 ] (ftp_telnet) Invalid FTP Command [ ** ] [ Priority: 3 ] {TCP} xxxx:59636 -> xxxxxx:21
-
That alret is not comming from a rule. Its comming from a snort dynamicpreprocessor libsf_ftptelnet. You need to use the /usr/local/etc/snort/threshold.conf.
I am still adding features to the snort package and this one is on my TODO list. Give me a sec and I'll tell you what to add. I'm only one man so things take time.I, too, have had issues with the FTP preprocessor in the past. One fix was easy – adding EPSV, but others have eluded me. SITE has also given me trouble before from people using IE as an FTP client. You pretty much have to tcpdump on both sides of the pfSense box while watching the connection to see which command it tries and fails, and keep altering the FTP directives to suit it. For my customer with issues I disabled the entire FTP preprocessor -- from the "preprocessor ftp_telnet: global " all the way down to the "max_resp_len 100" line.
I wonder if there is a more up-to-date set of preprocessor directives out there somewhere that might help.
There is supposedly a directive that will make the proprocessor only alert and not block, but I never could get it to work right, so disabling was easier.
-
Great!! I´ll disable the ftppreprocessor until you are done then. Thanks for all the hardwork!!
-
Hello Jamesdean -
Well, first of all, thank you for your work on the pfSense Snort package. It is working for me for the first time. However, it is not possible for someone to make an FTP connection to an FTP server behind pfSense now that snort is installed. This is the error:
Last 100 Snort Alert entries [ ** ] [ 125:4:1 ] (ftp_telnet) FTP command parameters were malformed [ ** ] [ Priority: 3 ] 06/16-21:48:11.601430 xxx.xxx.xxx.xxx:50218 -> xxx.xxx.xxx.xxx:21 TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:46 ***AP*** Seq: 0xFB21BEF1 Ack: 0x8546B491 Win: 0x430 TcpLen: 20
I tried the fix you suggested:
Put this in your /usr/local/etc/snort/threshold.conf
suppress gen_id 4, sig_id 125
suppress gen_id 2, sig_id 125I rebooted, and 'restarted' snort but the error is the same.
Please, I need to get this working. Any other workaround besides disabling Snort?
Thank you.
ps- I'm on pfSense 1.2.3 RC1 with Snort 2.8.4.1 pkg v. 1.3
-
Thanx for the nice words.
oops, my falt, I had the numbers reversed. Try this.
Put this in your /usr/local/etc/snort/threshold.conf
suppress gen_id 125, sig_id 4
suppress gen_id 125, sig_id 2 -
That seems to have worked… THANKS!
-
-
Thanks JamesDean. The threshold stuff worked for me too to get rid of a lot of ftp preprocessor stuff.
Thought, I still have the following [ ** ] [ 125:1:1 ] (ftp_telnet) TELNET CMD on FTP Command Channel [ ** ]
[ Priority: 3 ]Any threshold command to remove that?
-
Yes… I got that ftp-telnet alert yesterday also. Is that a preprocessor alert? I couldn't find it in the rules to disable it.
-
I believe that it is a preprocessor alert.