Need help trying to disable FTP preprocessor



  • I'm using snort 2.8.4.1_5 pkg v.1.6, and I keep on getting this alert on legitimate FTP traffic:

    10/28-14:48:06.112348 [ ** ] [ 125:4:1 ] (ftp_telnet) FTP command parameters were malformed [ ** ] [ Priority: 3 ] {TCP} 192.197.54.26:10838 -> 10.1.1.51:21

    From what I can tell, this is from the preprocessor. Is there a way to disable it?



  • I used this to suppress the ftp problems i had …based on the information i found in the forum. But unable to confirm you whether it is correct. You can try to see the results.

    Add those rules in the "Threshold" page

    suppress gen_id 125, sig_id 2
    suppress gen_id 125, sig_id 4



  • Thanks, it looks like it's working so far. :D



  • This is so far the list i collect, sure everyone will be very different.

    suppress gen_id 125, sig_id 2  (ftp_telnet) FTP command parameters were malformed [ ** ]

    suppress gen_id 125, sig_id 4 (ftp_telnet) FTP command parameters were malformed [ ** ]

    suppress gen_id 124, sig_id 2 SMTP ClamAV recipient command injection attempt

    suppress gen_id 1, sig_id 4       Portscan

    suppress gen_id 119, sig_id 4 http_inspect: BARE BYTE UNICODE ENCODING

    suppress gen_id 119, sig_id 2 http_inspect: DOUBLE DECODING ATTACK

    suppress gen_id 1, sig_id 1852

    suppress gen_id 1, sig_id 2077

    suppress gen_id 1, sig_id 2410

    suppress gen_id 122, sig_id 27 sfportscan

    suppress gen_id 122, sig_id 19 sfportscan

    suppress gen_id 119, sig_id 4 http_inspect

    suppress gen_id 122, sig_id 7 sfportscan

    suppress gen_id 125, sig_id 3 (ftp_telnet) FTP command parameters were too long [ ** ]

    suppress gen_id 122, sig_id 1 (portscan) TCP Portscan [ ** ]


Log in to reply