Need help trying to disable FTP preprocessor
-
I'm using snort 2.8.4.1_5 pkg v.1.6, and I keep on getting this alert on legitimate FTP traffic:
10/28-14:48:06.112348 [ ** ] [ 125:4:1 ] (ftp_telnet) FTP command parameters were malformed [ ** ] [ Priority: 3 ] {TCP} 192.197.54.26:10838 -> 10.1.1.51:21
From what I can tell, this is from the preprocessor. Is there a way to disable it?
-
I used this to suppress the ftp problems i had …based on the information i found in the forum. But unable to confirm you whether it is correct. You can try to see the results.
Add those rules in the "Threshold" page
suppress gen_id 125, sig_id 2
suppress gen_id 125, sig_id 4 -
Thanks, it looks like it's working so far. :D
-
This is so far the list i collect, sure everyone will be very different.
suppress gen_id 125, sig_id 2 (ftp_telnet) FTP command parameters were malformed [ ** ]
suppress gen_id 125, sig_id 4 (ftp_telnet) FTP command parameters were malformed [ ** ]
suppress gen_id 124, sig_id 2 SMTP ClamAV recipient command injection attempt
suppress gen_id 1, sig_id 4 Portscan
suppress gen_id 119, sig_id 4 http_inspect: BARE BYTE UNICODE ENCODING
suppress gen_id 119, sig_id 2 http_inspect: DOUBLE DECODING ATTACK
suppress gen_id 1, sig_id 1852
suppress gen_id 1, sig_id 2077
suppress gen_id 1, sig_id 2410
suppress gen_id 122, sig_id 27 sfportscan
suppress gen_id 122, sig_id 19 sfportscan
suppress gen_id 119, sig_id 4 http_inspect
suppress gen_id 122, sig_id 7 sfportscan
suppress gen_id 125, sig_id 3 (ftp_telnet) FTP command parameters were too long [ ** ]
suppress gen_id 122, sig_id 1 (portscan) TCP Portscan [ ** ]