Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort 2.8.2.1_1 ignoring WhiteList & loading non checked categories

    Scheduled Pinned Locked Moved pfSense Packages
    6 Posts 3 Posters 4.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      churchmedic
      last edited by

      Using pfSense 1.2.1  and Snort 2.8.2.1_1

      Snort appears to be ignoring WhiteList & loading non checked categories.
      We are loading ac-bnfa (have tried others as well)

      12/27-05:44:39.502274 [ ** ] [ 125:3:1 ] (ftp_telnet) FTP command parameters were too long [ ** ] [ Priority: 1 ] {TCP} x.x.36.252:61443 -> x.x.37.35:21
      12/27-05:44:39.502452 [ ** ] [ 125:3:1 ] (ftp_telnet) FTP command parameters were too long [ ** ] [ Priority: 1 ] {TCP} x.x.36.252:61443 -> x.x.37.35:21
      12/27-05:44:48.188259 [ ** ] [ 125:4:1 ] (ftp_telnet) FTP command parameters were malformed [ ** ] [ Priority: 3 ] {TCP} x.x.36.252:61443 -> x.x.37.35:21

      (x replaces with the actual octet of course)

      I have turned off every rulegroup except one… ( x11.rules) but this still comes up in the alerts.
      When we place x.x.36.252 into the Whitelist - clear the logs - restart
      give it 10 minutes or so - and voila - back in the logs

      Sadly - I dont want to begin having SNORT block due to traffic that is needed to get through might not...

      Any ideas here?

      Thanks

      1 Reply Last reply Reply Quote 0
      • C
        churchmedic
        last edited by

        i completed a reload of the entire system -
        same issue… :-(

        1 Reply Last reply Reply Quote 0
        • G
          GridSouth
          last edited by

          This alert is NOT triggered by a standard rule but rather by the FTP/TElnet preprocessor as defined in the snort.conf (which is pfsense, is regenerated every time the service is restarted with different parameters. The basis for the snort.conf file is found in the /usr/local/pkg/snort.inc file.

          This link explains a bit about the preprocessor parameters:http://readlist.com/lists/lists.sourceforge.net/snort-users/0/2256.html

          Here is the section of interest:

          FTP Server Configuration:
          options description
          –------------ -----------
          drop_telnet_cmd Drop TELNET CMD on FTP Command Channel
          drop_invalid_cmd Drop invalid FTP Command
          drop_long_cmd_parameters Drop FTP command parameters that are too long
          --->drop_malformed_parameters Drop FTP command parameters were malformed
          drop_string_format_parameters Drop FTP command parameters that contain potential string format

          I have not figured out the exact syntax for altering the /usr/local/pkg/snort.inc (and thus the snort.conf file) to disable the pesky issue. According to the reference there shoudl be a way to add a global setting in the snort.conf file that will cause the drop_malformed_parameters state to be false.

          Somethig like ...

          malformed_parameters no \

          I have just not found the correct syntax for doing this. If anyone else know, this would be greatly apprerciated.

          Thanks

          1 Reply Last reply Reply Quote 0
          • M
            mikesamo
            last edited by

            ok I got the same problem
            so i remove the dynamic ftptelenet processor from snort

            the way to do it

            edit /usr/local/etc/snort/snort.conf

            comment this line

            #dynamicpreprocessor file /usr/local/lib/snort/dynamicpreprocessor/libsf_ftptelnet_preproc.so

            and restart snort

            1 Reply Last reply Reply Quote 0
            • G
              GridSouth
              last edited by

              That removes the entire preprocessor. There should be a way to disable the drop_malformed_parameters only and still use the preprocessor

              1 Reply Last reply Reply Quote 0
              • M
                mikesamo
                last edited by

                fixed when snort update was completed

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.