Ftp server behind PFSense1.2.2 and Snort



  • Firstly, I was using Smoothwall for many years, but now finally  I installed PFSense to protect my homeLAN.
    I really like this piece of software, and this seems to be lot better, and feature rich firewall than Smoothwall was.
    Also my main  "desktop computer" and server uses FreeBSD 7.1. I have BSD experience allmost 7 years now, never going back to m$.

    BUT!
    I have Freebsd ftp-server behind PFSense 1.2.2 and installed Snort 2.8.2.6_1 via packages.
    Snort seems to work fine, but when I got ftp-connection to my server Snort alerts

    [ ** ] [ 125:4:1 ] (ftp_telnet) FTP command parameters were malformed [ ** ] [ Priority: 3 ] {TCP}
    [ ** ] [ 125:6:1 ] (ftp_telnet) FTP response message was too long [ ** ] [ Priority: 3 ] {TCP}

    Problem is, when I use Snort blocking feature, (I want to use it) Snort blocks the connection to my ftp server for 1 hour, from that IP, where the connection is made of.
    I'm using many of the snort rules, but the problem is not the rules, but snort "preprocessor ftp_telnet_protocol".
    I try to comment out (#) "dynamicpreprocessor file /usr/local/lib/snort/dynamicpreprocessor/libsf_ftptelnet_preproc.so"  line from snort.conf, but it appears allways back, when snort starts up.

    ftp-server works fine, but snort blocks the connections.

    Trying to google the problem, but no help so far. Is there a workaround for this kind of prob.
    Anyone can help?



  • try to edit /usr/local/pkg/snort.inc .



  • jes. thanks, comment out that
    #dynamicpreprocessor file /usr/local/lib/snort/dynamicpreprocessor/libsf_ftptelnet
    from snort.inc

    It's solved!
    ;D



  • …or not solved, just checking the logs.
    got FATAL ERROR: Misconfigured dynamic preprocessor(s), so snort not start up normally.
    And Snort doesn´t make any alerts for any rules, or blocking!.

    Now I´m installing the alternative for ftp (Coppermine, photo album (Yes, I have only photos behind that ftp server)).
    ftp seem´s to be too complicated, and not secure enough for this firewall anyway.
    :(



  • there's a section in snort.inc where allowed ftp commands are defined and so on. comment that section out and it'll work.



  • That section is huge. Are we to comment out everything? Meaning all FTP commands specified there? I have the same problem with snort alerting about malformed ftp commands etc.



  • I did it that way as it was the only way that got incoming ftp to proftpd working. Please let me know if you find another way.



  • now I have my Coppermine album online, If interested in aviation check out http://mohman.homeip.net
    Also my ftp server is online, but snort is still blocking connections.



  • Since there have been alot of activity in the forum lately aroun snort, i thought that I should pick up this thread again! =)

    I still have problems with ftp creating alerts, even though I have whitelisted all the ip´s triggering the ftp helper. I also have disabled the ftp rule category. I have tried to add some commands to snort.inc but, no difference. Any ideas?

    I´m running pfsense 1.2.2 and snort 2.8.4

    Last 100 Snort Alert entries
    06/10-09:20:02.147179 [ ** ] [ 125:4:1 ] (ftp_telnet) FTP command parameters were malformed [ ** ] [ Priority: 3 ] {TCP} xxxxxxx:59636 -> xxxxxxxxx:21

    06/10-09:20:02.521083 [ ** ] [ 125:2:1 ] (ftp_telnet) Invalid FTP Command [ ** ] [ Priority: 3 ] {TCP} xxxx:59636 -> xxxxxx:21


  • Rebel Alliance Developer Netgate

    @jamesdean:

    That alret is not comming from a rule. Its comming from a snort dynamicpreprocessor libsf_ftptelnet. You need to use the /usr/local/etc/snort/threshold.conf.
    I am still adding features to the snort package and this one is on my TODO list. Give me a sec and I'll tell you what to add. I'm only one man so things take time.

    I, too, have had issues with the FTP preprocessor in the past. One fix was easy – adding EPSV, but others have eluded me. SITE has also given me trouble before from people using IE as an FTP client. You pretty much have to tcpdump on both sides of the pfSense box while watching the connection to see which command it tries and fails, and keep altering the FTP directives to suit it. For my customer with issues I disabled the entire FTP preprocessor -- from the "preprocessor ftp_telnet: global " all the way down to the "max_resp_len 100" line.

    I wonder if there is a more up-to-date set of preprocessor directives out there somewhere that might help.

    There is supposedly a directive that will make the proprocessor only alert and not block, but I never could get it to work right, so disabling was easier.



  • Great!! I´ll disable the ftppreprocessor until you are done then. Thanks for all the hardwork!!



  • Hello Jamesdean -

    Well, first of all, thank you for your work on the pfSense Snort package. It is working for me for the first time. However, it is not possible for someone to make an FTP connection to an FTP server behind pfSense now that snort is installed. This is the error:

    Last 100 Snort Alert entries
    [ ** ] [ 125:4:1 ] (ftp_telnet) FTP command parameters were malformed [ ** ]  
    [ Priority: 3 ]  
    06/16-21:48:11.601430 xxx.xxx.xxx.xxx:50218 -> xxx.xxx.xxx.xxx:21 
    TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:46 
    ***AP*** Seq: 0xFB21BEF1 Ack: 0x8546B491 Win: 0x430 TcpLen: 20 
    

    I tried the fix you suggested:

    Put this in your /usr/local/etc/snort/threshold.conf

    suppress gen_id 4, sig_id 125
    suppress gen_id 2, sig_id 125

    I rebooted, and 'restarted' snort but the error is the same.

    Please, I need to get this working. Any other workaround besides disabling Snort?

    Thank you.

    ps- I'm on pfSense 1.2.3 RC1 with Snort 2.8.4.1 pkg v. 1.3



  • Thanx for the nice words.

    oops, my falt, I had the numbers reversed.  Try this.

    Put this in your /usr/local/etc/snort/threshold.conf

    suppress gen_id 125, sig_id 4
    suppress gen_id 125, sig_id 2



  • That seems to have worked… THANKS!



  • @caseystone:

    That seems to have worked… THANKS!

    NP…



  • Thanks JamesDean. The threshold stuff worked for me too to get rid of a lot of ftp preprocessor stuff.

    Thought, I still have the following [ ** ] [ 125:1:1 ] (ftp_telnet) TELNET CMD on FTP Command Channel [ ** ] 
    [ Priority: 3 ]

    Any threshold command to remove that?



  • Yes… I got that ftp-telnet alert yesterday also. Is that a preprocessor alert? I couldn't find it in the rules to disable it.



  • I believe that it is a preprocessor alert.


Log in to reply