Snort: edit ftp preprocessor configuration

digidax

Thanks Bill,

I have implemented as you have written down in your great HowTo and it works perfectly!

Thanks again,
Frank

digidax

Feedback after one day:

Now a lot of clients can now connect to our FTP servers. Taking a look into the FTP Log, more and more clients are using the "MFMT" command.

1. How can I contact the maintainer of the pfsense package to ask him for adding the command into the preprocessor setup by default?

2. In my pfsense XML Backup is nothing found about my changes on the bottom of the interface tab. Will it not being restored in the worst case? So I have to backup it manually?

best regards
Frank

fragged

Bill / bmeeks above is the current maintainer of the Snort package on pfSense.

Edit:

There is a commit pending for a Snort 2.9.5.5 (?) binary version that is waiting for approval from the pfSense core team. I'm sure he can look into implementing your changes into a future release of the package.

bmeeks

@digidax:

Feedback after one day:

Now a lot of clients can now connect to our FTP servers. Taking a look into the FTP Log, more and more clients are using the "MFMT" command.

1. How can I contact the maintainer of the pfsense package to ask him for adding the command into the preprocessor setup by default?

2. In my pfsense XML Backup is nothing found about my changes on the bottom of the interface tab. Will it not being restored in the worst case? So I have to backup it manually?

best regards
Frank

I can add the missing command to the next update. As for the pass-through data, I need to check on it getting written to the XML. I did not create the original package, so I have not looked at the pass-through field specifically.

Bill

digidax

Hi Bill,

thanks for your help. To "enable" the ftp command "MFMT" I have made the following settings on "Advanced configuration pass-through" but it will only work with some clients and some other are blocked. Do you have an idea what did I make wrong?

# FTP / Telnet normalization and anomaly detection.  For more information, see README.ftptelnet
preprocessor ftp_telnet: global inspection_type stateful encrypted_traffic no check_encrypted
preprocessor ftp_telnet_protocol: telnet \
    ayt_attack_thresh 20 \
    normalize ports { 23 } \
    detect_anomalies
preprocessor ftp_telnet_protocol: ftp server default \
    def_max_param_len 100 \
    ports { 21 2100 3535 } \
    telnet_cmds yes \
    ignore_telnet_erase_cmds yes \
    ftp_cmds { ABOR ACCT ADAT ALLO APPE AUTH CCC CDUP } \
    ftp_cmds { CEL CLNT CMD CONF CWD DELE ENC EPRT } \
    ftp_cmds { EPSV ESTA ESTP FEAT HELP LANG LIST LPRT } \
    ftp_cmds { LPSV MACB MAIL MDTM MIC MKD MLSD MLST } \
    ftp_cmds { MODE NLST NOOP OPTS PASS PASV PBSZ PORT } \
    ftp_cmds { PROT PWD QUIT REIN REST RETR RMD RNFR } \
    ftp_cmds { RNTO SDUP SITE SIZE SMNT STAT STOR STOU } \
    ftp_cmds { STRU SYST TEST TYPE USER XCUP XCRC XCWD } \
    ftp_cmds { XMAS XMD5 XMKD XPWD XRCP XRMD XRSQ XSEM } \
    ftp_cmds { XSEN XSHA1 XSHA256 MFMT } \
    alt_max_param_len 0 { ABOR CCC CDUP ESTA FEAT LPSV NOOP PASV PWD QUIT REIN STOU SYST XCUP XPWD } \
    alt_max_param_len 512 { ALLO APPE CMD HELP NLST RETR RNFR STOR STOU XMKD } \
    alt_max_param_len 256 { CWD RNTO } \
    alt_max_param_len 400 { PORT } \
    alt_max_param_len 512 { SIZE MFMT } \
    chk_str_fmt { ACCT ADAT ALLO APPE AUTH CEL CLNT CMD } \
    chk_str_fmt { CONF CWD DELE ENC EPRT EPSV ESTP HELP } \
    chk_str_fmt { LANG LIST LPRT MACB MAIL MDTM MIC MKD } \
    chk_str_fmt { MLSD MLST MODE NLST OPTS PASS PBSZ PORT } \
    chk_str_fmt { PROT REST RETR RMD RNFR RNTO SDUP SITE } \
    chk_str_fmt { SIZE SMNT STAT STOR STRU TEST TYPE USER } \
    chk_str_fmt { XCRC XCWD XMAS XMD5 XMKD XRCP XRMD XRSQ } \ 
    chk_str_fmt { XSEM XSEN XSHA1 XSHA256 MFMT } \
    cmd_validity ALLO < int [ char R int ] > \    
    cmd_validity EPSV < [ { char 12 | char A char L char L } ] > \
    cmd_validity MACB < string > \
    cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
    cmd_validity MODE < char ASBCZ > \
    cmd_validity PORT < host_port > \
    cmd_validity PROT < char CSEP > \
    cmd_validity STRU < char FRPO [ string ] > \    
    cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } >
preprocessor ftp_telnet_protocol: ftp client default \
    max_resp_len 256 \
    bounce yes \
    ignore_telnet_erase_cmds yes \
    telnet_cmds yes

best regards
Frank

bmeeks

@digidax:

Hi Bill,

thanks for your help. To "enable" the ftp command "MFMT" I have made the following settings on "Advanced configuration pass-through" but it will only work with some clients and some other are blocked. Do you have an idea what did I make wrong?

# FTP / Telnet normalization and anomaly detection.  For more information, see README.ftptelnet
preprocessor ftp_telnet: global inspection_type stateful encrypted_traffic no check_encrypted
preprocessor ftp_telnet_protocol: telnet \
    ayt_attack_thresh 20 \
    normalize ports { 23 } \
    detect_anomalies
preprocessor ftp_telnet_protocol: ftp server default \
    def_max_param_len 100 \
    ports { 21 2100 3535 } \
    telnet_cmds yes \
    ignore_telnet_erase_cmds yes \
    ftp_cmds { ABOR ACCT ADAT ALLO APPE AUTH CCC CDUP } \
    ftp_cmds { CEL CLNT CMD CONF CWD DELE ENC EPRT } \
    ftp_cmds { EPSV ESTA ESTP FEAT HELP LANG LIST LPRT } \
    ftp_cmds { LPSV MACB MAIL MDTM MIC MKD MLSD MLST } \
    ftp_cmds { MODE NLST NOOP OPTS PASS PASV PBSZ PORT } \
    ftp_cmds { PROT PWD QUIT REIN REST RETR RMD RNFR } \
    ftp_cmds { RNTO SDUP SITE SIZE SMNT STAT STOR STOU } \
    ftp_cmds { STRU SYST TEST TYPE USER XCUP XCRC XCWD } \
    ftp_cmds { XMAS XMD5 XMKD XPWD XRCP XRMD XRSQ XSEM } \
    ftp_cmds { XSEN XSHA1 XSHA256 MFMT } \
    alt_max_param_len 0 { ABOR CCC CDUP ESTA FEAT LPSV NOOP PASV PWD QUIT REIN STOU SYST XCUP XPWD } \
    alt_max_param_len 512 { ALLO APPE CMD HELP NLST RETR RNFR STOR STOU XMKD } \
    alt_max_param_len 256 { CWD RNTO } \
    alt_max_param_len 400 { PORT } \
    alt_max_param_len 512 { SIZE MFMT } \
    chk_str_fmt { ACCT ADAT ALLO APPE AUTH CEL CLNT CMD } \
    chk_str_fmt { CONF CWD DELE ENC EPRT EPSV ESTP HELP } \
    chk_str_fmt { LANG LIST LPRT MACB MAIL MDTM MIC MKD } \
    chk_str_fmt { MLSD MLST MODE NLST OPTS PASS PBSZ PORT } \
    chk_str_fmt { PROT REST RETR RMD RNFR RNTO SDUP SITE } \
    chk_str_fmt { SIZE SMNT STAT STOR STRU TEST TYPE USER } \
    chk_str_fmt { XCRC XCWD XMAS XMD5 XMKD XRCP XRMD XRSQ } \ 
    chk_str_fmt { XSEM XSEN XSHA1 XSHA256 MFMT } \
    cmd_validity ALLO < int [ char R int ] > \    
    cmd_validity EPSV < [ { char 12 | char A char L char L } ] > \
    cmd_validity MACB < string > \
    cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
    cmd_validity MODE < char ASBCZ > \
    cmd_validity PORT < host_port > \
    cmd_validity PROT < char CSEP > \
    cmd_validity STRU < char FRPO [ string ] > \    
    cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } >
preprocessor ftp_telnet_protocol: ftp client default \
    max_resp_len 256 \
    bounce yes \
    ignore_telnet_erase_cmds yes \
    telnet_cmds yes

best regards
Frank

Frank:

I'm not proficient in this area of Snort, but just looking at your configuration I wonder if it is legal to have two alt_max_param_len 512 entries in the file. Snort might get confused in parsing, or it may be fine with it (I really don't know). I assume it is not throwing any errors during startup parsing. I would try combining those two alt_max_param_len 512 entries into a single one, though, to see if that makes any difference.

Is there any difference between the types of clients having a problem and those that do not? Are they, for example, the same type and version operating system? Are they using the same FTP client, etc.?

Bill

digidax

Bill,

taken from the original snort.conf :

alt_max_param_len 0 { ABOR CCC CDUP ESTA FEAT LPSV NOOP PASV PWD QUIT REIN STOU SYST XCUP XPWD }
alt_max_param_len 512 { ALLO APPE CMD HELP NLST RETR RNFR STOR STOU XMKD }
alt_max_param_len 256 { CWD RNTO }
alt_max_param_len 400 { PORT }
alt_max_param_len 512 { SIZE } \

I have add only on the last line:

alt_max_param_len 512 { SIZE MFMT } \

For taking additional the command with the same lenght - yes this could be the problem but otherwise the SIZE was set also in the last line.

I will post the problem on the snort mailing list and will edit in this posting the link for follow uo the discussion.

Thanks and best regards
Frank

bmeeks

@digidax:

Bill,

taken from the original snort.conf :

alt_max_param_len 0 { ABOR CCC CDUP ESTA FEAT LPSV NOOP PASV PWD QUIT REIN STOU SYST XCUP XPWD }
alt_max_param_len 512 { ALLO APPE CMD HELP NLST RETR RNFR STOR STOU XMKD }
alt_max_param_len 256 { CWD RNTO }
alt_max_param_len 400 { PORT }
alt_max_param_len 512 { SIZE } \

I have add only on the last line:

alt_max_param_len 512 { SIZE MFMT } \

For taking additional the command with the same lenght - yes this could be the problem but otherwise the SIZE was set also in the last line.

I will post the problem on the snort mailing list and will edit in this posting the link for follow uo the discussion.

Thanks and best regards
Frank

Oops! My bad. I looked in the Snort README file for FTP-Telnet and did not check the actual Snort package source file. I think that config line in the Snort package file probably needs to be fixed.

The mailing list is a good idea. Keep me posted, and I will make any necessary edits to the package code.

Bill

digidax

Bill,

I have unchecked the FTP preprocessor and have also deleted the additional writing at the end of the interface tab. Then save and reload snort from the service tab.
But the preprocessor blocks untouched invalid FTP commands !!! Why?

Can it be, that anything is going wrong inside pfsense during applying the configuration?

best regards
Frank

bmeeks

@digidax:

Bill,

I have unchecked the FTP preprocessor and have also deleted the additional writing at the end of the interface tab. Then save and reload snort from the service tab.
But the preprocessor blocks untouched invalid FTP commands !!! Why?

Can it be, that anything is going wrong inside pfsense during applying the configuration?

best regards
Frank

Look in the actual snort.conf file for the affected interface and verify the FTP preprocessor configuration is in fact not there. It should not be if FTP-Telnet normalization is disabled on the Preprocessors tab for the interface. The path to the configuration file will be /usr/pbi/snort-{arch}/etc/snort/snort_xxxx (where xxxx is a random number string and the interface name such as em0, em1, etc.).

Next thing to check is that the alert and block is actually from the FTP preprocessor and not a text rule. What is the alert signature? Is the Generator ID something other than 1? If so, then it is a preprocessor alert. If other than 1, does the Generator ID match that of the FTP-Telnet preprocessor, 125? If it is 1, then a text rule fired the alert.

Bill

digidax

Bill thanks for your help.

Yes I've checked the configuration file too. But now I think it's my bad. Sorry. Snort is running on WAN and DMZ interface. All my playing around with the FTP preprocessor setting I have done on the WAN interface, not thinking about that maybe I have to do this also on the DMZ interface. The Block list didn't gave me any infromation from which interface the block was set.

I have now disables on both interfaces the FTP preprocessor and insert the custum setting on the bottom of the first side ON BOTH interfaces. Now I'm waiting for the result and will inform you shortly. Sorry again - my bad.

best regards
Frank