Snort 2.8.2.1_1 ignoring WhiteList & loading non checked categories
-
Using pfSense 1.2.1 and Snort 2.8.2.1_1
Snort appears to be ignoring WhiteList & loading non checked categories.
We are loading ac-bnfa (have tried others as well)12/27-05:44:39.502274 [ ** ] [ 125:3:1 ] (ftp_telnet) FTP command parameters were too long [ ** ] [ Priority: 1 ] {TCP} x.x.36.252:61443 -> x.x.37.35:21
12/27-05:44:39.502452 [ ** ] [ 125:3:1 ] (ftp_telnet) FTP command parameters were too long [ ** ] [ Priority: 1 ] {TCP} x.x.36.252:61443 -> x.x.37.35:21
12/27-05:44:48.188259 [ ** ] [ 125:4:1 ] (ftp_telnet) FTP command parameters were malformed [ ** ] [ Priority: 3 ] {TCP} x.x.36.252:61443 -> x.x.37.35:21(x replaces with the actual octet of course)
I have turned off every rulegroup except one… ( x11.rules) but this still comes up in the alerts.
When we place x.x.36.252 into the Whitelist - clear the logs - restart
give it 10 minutes or so - and voila - back in the logsSadly - I dont want to begin having SNORT block due to traffic that is needed to get through might not...
Any ideas here?
Thanks
-
i completed a reload of the entire system -
same issue… :-(
-
This alert is NOT triggered by a standard rule but rather by the FTP/TElnet preprocessor as defined in the snort.conf (which is pfsense, is regenerated every time the service is restarted with different parameters. The basis for the snort.conf file is found in the /usr/local/pkg/snort.inc file.
This link explains a bit about the preprocessor parameters:http://readlist.com/lists/lists.sourceforge.net/snort-users/0/2256.html
Here is the section of interest:
FTP Server Configuration:
options description
–------------ -----------
drop_telnet_cmd Drop TELNET CMD on FTP Command Channel
drop_invalid_cmd Drop invalid FTP Command
drop_long_cmd_parameters Drop FTP command parameters that are too long
--->drop_malformed_parameters Drop FTP command parameters were malformed
drop_string_format_parameters Drop FTP command parameters that contain potential string formatI have not figured out the exact syntax for altering the /usr/local/pkg/snort.inc (and thus the snort.conf file) to disable the pesky issue. According to the reference there shoudl be a way to add a global setting in the snort.conf file that will cause the drop_malformed_parameters state to be false.
Somethig like ...
malformed_parameters no \
I have just not found the correct syntax for doing this. If anyone else know, this would be greatly apprerciated.
Thanks
-
ok I got the same problem
so i remove the dynamic ftptelenet processor from snortthe way to do it
edit /usr/local/etc/snort/snort.conf
comment this line
#dynamicpreprocessor file /usr/local/lib/snort/dynamicpreprocessor/libsf_ftptelnet_preproc.so
and restart snort
-
That removes the entire preprocessor. There should be a way to disable the drop_malformed_parameters only and still use the preprocessor
-
fixed when snort update was completed