Snort: edit ftp preprocessor configuration
-
Hello,
a FTP client sends the FTP command "MFMT" (Modify Fact: Modification Time (MFMT)). The preprocessor doesn't know this command and finally blocks this host after alerts. The snort doc's are writing about the configuration of the preprocessor in snort.conf:
http://manual.snort.org/node140.html
If I add the missing command in my "/usr/pbi/snort-amd64/etc/snort/snort.conf" after a update of the pfsense snort package - what is with my changes or is there an other way to make this persistent?best regards
Frank -
Hello,
a FTP client sends the FTP command "MFMT" (Modify Fact: Modification Time (MFMT)). The preprocessor doesn't know this command and finally blocks this host after alerts. The snort doc's are writing about the configuration of the preprocessor in snort.conf:
http://manual.snort.org/node140.html
If I add the missing command in my "/usr/pbi/snort-amd64/etc/snort/snort.conf" after a update of the pfsense snort package - what is with my changes or is there an other way to make this persistent?best regards
FrankCurrently the Snort package on pfSense does not permit edits directly to the snort.conf file. This file is overwritten and recreated on each update of Snort rules and with each start/stop of the Snort process (such as a reboot). So any customizations are lost on the next start of Snort.
You can use the advanced pass-through option on the Interface tab for the interface you want to customize.
First, go to the Preprocessors tab for the interface and uncheck the Enable FTP and Telnet Normalizer option. This will stop the automatic generation of the FTP-Telnet preprocessor configuration in the snort.conf file.
Next, go to the Interface tab and scroll down to the bottom of the page. You will have to enter the complete configuration string for the FTP-Telnet preprocessor in the text area box there. The entire preprocessor configuration string, including any customized commands, is required. My suggestion is to first copy what is in the existing snort.conf file for the FTP-Telnet preprocessor and paste it into the pass-through text box. Then make any additional edits you require. Save the changes and then restart Snort on the interface.
Basically what this feature provides is a way to create your own configuration lines for any preprocessor you need to customize beyond what the GUI currently provides options for.
Bill
-
Thanks Bill,
I have implemented as you have written down in your great HowTo and it works perfectly!
Thanks again,
Frank -
Feedback after one day:
Now a lot of clients can now connect to our FTP servers. Taking a look into the FTP Log, more and more clients are using the "MFMT" command.
1. How can I contact the maintainer of the pfsense package to ask him for adding the command into the preprocessor setup by default?
2. In my pfsense XML Backup is nothing found about my changes on the bottom of the interface tab. Will it not being restored in the worst case? So I have to backup it manually?
best regards
Frank -
Bill / bmeeks above is the current maintainer of the Snort package on pfSense.
Edit:
There is a commit pending for a Snort 2.9.5.5 (?) binary version that is waiting for approval from the pfSense core team. I'm sure he can look into implementing your changes into a future release of the package.
-
Feedback after one day:
Now a lot of clients can now connect to our FTP servers. Taking a look into the FTP Log, more and more clients are using the "MFMT" command.
1. How can I contact the maintainer of the pfsense package to ask him for adding the command into the preprocessor setup by default?
2. In my pfsense XML Backup is nothing found about my changes on the bottom of the interface tab. Will it not being restored in the worst case? So I have to backup it manually?
best regards
FrankI can add the missing command to the next update. As for the pass-through data, I need to check on it getting written to the XML. I did not create the original package, so I have not looked at the pass-through field specifically.
Bill
-
Hi Bill,
thanks for your help. To "enable" the ftp command "MFMT" I have made the following settings on "Advanced configuration pass-through" but it will only work with some clients and some other are blocked. Do you have an idea what did I make wrong?
# FTP / Telnet normalization and anomaly detection. For more information, see README.ftptelnet preprocessor ftp_telnet: global inspection_type stateful encrypted_traffic no check_encrypted preprocessor ftp_telnet_protocol: telnet \ ayt_attack_thresh 20 \ normalize ports { 23 } \ detect_anomalies preprocessor ftp_telnet_protocol: ftp server default \ def_max_param_len 100 \ ports { 21 2100 3535 } \ telnet_cmds yes \ ignore_telnet_erase_cmds yes \ ftp_cmds { ABOR ACCT ADAT ALLO APPE AUTH CCC CDUP } \ ftp_cmds { CEL CLNT CMD CONF CWD DELE ENC EPRT } \ ftp_cmds { EPSV ESTA ESTP FEAT HELP LANG LIST LPRT } \ ftp_cmds { LPSV MACB MAIL MDTM MIC MKD MLSD MLST } \ ftp_cmds { MODE NLST NOOP OPTS PASS PASV PBSZ PORT } \ ftp_cmds { PROT PWD QUIT REIN REST RETR RMD RNFR } \ ftp_cmds { RNTO SDUP SITE SIZE SMNT STAT STOR STOU } \ ftp_cmds { STRU SYST TEST TYPE USER XCUP XCRC XCWD } \ ftp_cmds { XMAS XMD5 XMKD XPWD XRCP XRMD XRSQ XSEM } \ ftp_cmds { XSEN XSHA1 XSHA256 MFMT } \ alt_max_param_len 0 { ABOR CCC CDUP ESTA FEAT LPSV NOOP PASV PWD QUIT REIN STOU SYST XCUP XPWD } \ alt_max_param_len 512 { ALLO APPE CMD HELP NLST RETR RNFR STOR STOU XMKD } \ alt_max_param_len 256 { CWD RNTO } \ alt_max_param_len 400 { PORT } \ alt_max_param_len 512 { SIZE MFMT } \ chk_str_fmt { ACCT ADAT ALLO APPE AUTH CEL CLNT CMD } \ chk_str_fmt { CONF CWD DELE ENC EPRT EPSV ESTP HELP } \ chk_str_fmt { LANG LIST LPRT MACB MAIL MDTM MIC MKD } \ chk_str_fmt { MLSD MLST MODE NLST OPTS PASS PBSZ PORT } \ chk_str_fmt { PROT REST RETR RMD RNFR RNTO SDUP SITE } \ chk_str_fmt { SIZE SMNT STAT STOR STRU TEST TYPE USER } \ chk_str_fmt { XCRC XCWD XMAS XMD5 XMKD XRCP XRMD XRSQ } \ chk_str_fmt { XSEM XSEN XSHA1 XSHA256 MFMT } \ cmd_validity ALLO < int [ char R int ] > \ cmd_validity EPSV < [ { char 12 | char A char L char L } ] > \ cmd_validity MACB < string > \ cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \ cmd_validity MODE < char ASBCZ > \ cmd_validity PORT < host_port > \ cmd_validity PROT < char CSEP > \ cmd_validity STRU < char FRPO [ string ] > \ cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } > preprocessor ftp_telnet_protocol: ftp client default \ max_resp_len 256 \ bounce yes \ ignore_telnet_erase_cmds yes \ telnet_cmds yesbest regards
Frank -
Hi Bill,
thanks for your help. To "enable" the ftp command "MFMT" I have made the following settings on "Advanced configuration pass-through" but it will only work with some clients and some other are blocked. Do you have an idea what did I make wrong?
# FTP / Telnet normalization and anomaly detection. For more information, see README.ftptelnet preprocessor ftp_telnet: global inspection_type stateful encrypted_traffic no check_encrypted preprocessor ftp_telnet_protocol: telnet \ ayt_attack_thresh 20 \ normalize ports { 23 } \ detect_anomalies preprocessor ftp_telnet_protocol: ftp server default \ def_max_param_len 100 \ ports { 21 2100 3535 } \ telnet_cmds yes \ ignore_telnet_erase_cmds yes \ ftp_cmds { ABOR ACCT ADAT ALLO APPE AUTH CCC CDUP } \ ftp_cmds { CEL CLNT CMD CONF CWD DELE ENC EPRT } \ ftp_cmds { EPSV ESTA ESTP FEAT HELP LANG LIST LPRT } \ ftp_cmds { LPSV MACB MAIL MDTM MIC MKD MLSD MLST } \ ftp_cmds { MODE NLST NOOP OPTS PASS PASV PBSZ PORT } \ ftp_cmds { PROT PWD QUIT REIN REST RETR RMD RNFR } \ ftp_cmds { RNTO SDUP SITE SIZE SMNT STAT STOR STOU } \ ftp_cmds { STRU SYST TEST TYPE USER XCUP XCRC XCWD } \ ftp_cmds { XMAS XMD5 XMKD XPWD XRCP XRMD XRSQ XSEM } \ ftp_cmds { XSEN XSHA1 XSHA256 MFMT } \ alt_max_param_len 0 { ABOR CCC CDUP ESTA FEAT LPSV NOOP PASV PWD QUIT REIN STOU SYST XCUP XPWD } \ alt_max_param_len 512 { ALLO APPE CMD HELP NLST RETR RNFR STOR STOU XMKD } \ alt_max_param_len 256 { CWD RNTO } \ alt_max_param_len 400 { PORT } \ alt_max_param_len 512 { SIZE MFMT } \ chk_str_fmt { ACCT ADAT ALLO APPE AUTH CEL CLNT CMD } \ chk_str_fmt { CONF CWD DELE ENC EPRT EPSV ESTP HELP } \ chk_str_fmt { LANG LIST LPRT MACB MAIL MDTM MIC MKD } \ chk_str_fmt { MLSD MLST MODE NLST OPTS PASS PBSZ PORT } \ chk_str_fmt { PROT REST RETR RMD RNFR RNTO SDUP SITE } \ chk_str_fmt { SIZE SMNT STAT STOR STRU TEST TYPE USER } \ chk_str_fmt { XCRC XCWD XMAS XMD5 XMKD XRCP XRMD XRSQ } \ chk_str_fmt { XSEM XSEN XSHA1 XSHA256 MFMT } \ cmd_validity ALLO < int [ char R int ] > \ cmd_validity EPSV < [ { char 12 | char A char L char L } ] > \ cmd_validity MACB < string > \ cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \ cmd_validity MODE < char ASBCZ > \ cmd_validity PORT < host_port > \ cmd_validity PROT < char CSEP > \ cmd_validity STRU < char FRPO [ string ] > \ cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } > preprocessor ftp_telnet_protocol: ftp client default \ max_resp_len 256 \ bounce yes \ ignore_telnet_erase_cmds yes \ telnet_cmds yesbest regards
FrankFrank:
I'm not proficient in this area of Snort, but just looking at your configuration I wonder if it is legal to have two alt_max_param_len 512 entries in the file. Snort might get confused in parsing, or it may be fine with it (I really don't know). I assume it is not throwing any errors during startup parsing. I would try combining those two alt_max_param_len 512 entries into a single one, though, to see if that makes any difference.
Is there any difference between the types of clients having a problem and those that do not? Are they, for example, the same type and version operating system? Are they using the same FTP client, etc.?
Bill
-
Bill,
taken from the original snort.conf :
alt_max_param_len 0 { ABOR CCC CDUP ESTA FEAT LPSV NOOP PASV PWD QUIT REIN STOU SYST XCUP XPWD }
alt_max_param_len 512 { ALLO APPE CMD HELP NLST RETR RNFR STOR STOU XMKD }
alt_max_param_len 256 { CWD RNTO }
alt_max_param_len 400 { PORT }
alt_max_param_len 512 { SIZE } \I have add only on the last line:
alt_max_param_len 512 { SIZE MFMT } \
For taking additional the command with the same lenght - yes this could be the problem but otherwise the SIZE was set also in the last line.
I will post the problem on the snort mailing list and will edit in this posting the link for follow uo the discussion.
Thanks and best regards
Frank -
Bill,
taken from the original snort.conf :
alt_max_param_len 0 { ABOR CCC CDUP ESTA FEAT LPSV NOOP PASV PWD QUIT REIN STOU SYST XCUP XPWD }
alt_max_param_len 512 { ALLO APPE CMD HELP NLST RETR RNFR STOR STOU XMKD }
alt_max_param_len 256 { CWD RNTO }
alt_max_param_len 400 { PORT }
alt_max_param_len 512 { SIZE } \I have add only on the last line:
alt_max_param_len 512 { SIZE MFMT } \
For taking additional the command with the same lenght - yes this could be the problem but otherwise the SIZE was set also in the last line.
I will post the problem on the snort mailing list and will edit in this posting the link for follow uo the discussion.
Thanks and best regards
FrankOops! My bad. I looked in the Snort README file for FTP-Telnet and did not check the actual Snort package source file. I think that config line in the Snort package file probably needs to be fixed.
The mailing list is a good idea. Keep me posted, and I will make any necessary edits to the package code.
Bill
-
Bill,
I have unchecked the FTP preprocessor and have also deleted the additional writing at the end of the interface tab. Then save and reload snort from the service tab.
But the preprocessor blocks untouched invalid FTP commands !!! Why?Can it be, that anything is going wrong inside pfsense during applying the configuration?
best regards
Frank -
Bill,
I have unchecked the FTP preprocessor and have also deleted the additional writing at the end of the interface tab. Then save and reload snort from the service tab.
But the preprocessor blocks untouched invalid FTP commands !!! Why?Can it be, that anything is going wrong inside pfsense during applying the configuration?
best regards
FrankLook in the actual snort.conf file for the affected interface and verify the FTP preprocessor configuration is in fact not there. It should not be if FTP-Telnet normalization is disabled on the Preprocessors tab for the interface. The path to the configuration file will be /usr/pbi/snort-{arch}/etc/snort/snort_xxxx (where xxxx is a random number string and the interface name such as em0, em1, etc.).
Next thing to check is that the alert and block is actually from the FTP preprocessor and not a text rule. What is the alert signature? Is the Generator ID something other than 1? If so, then it is a preprocessor alert. If other than 1, does the Generator ID match that of the FTP-Telnet preprocessor, 125? If it is 1, then a text rule fired the alert.
Bill
-
Bill thanks for your help.
Yes I've checked the configuration file too. But now I think it's my bad. Sorry. Snort is running on WAN and DMZ interface. All my playing around with the FTP preprocessor setting I have done on the WAN interface, not thinking about that maybe I have to do this also on the DMZ interface. The Block list didn't gave me any infromation from which interface the block was set.
I have now disables on both interfaces the FTP preprocessor and insert the custum setting on the bottom of the first side ON BOTH interfaces. Now I'm waiting for the result and will inform you shortly. Sorry again - my bad.
best regards
Frank