Snort.org home  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Downloads Snort Docs Rules Snort Community Snort Forums Snort Training
Search Site
Search Rules
Account
email
password
not registered?
user preferences

Snort Forums Archive

Archive Home » Rules » ftpbounce rule, keyword error, causing reboots

Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.

[ Notice: Full Version of This Topic ]

ftpbounce rule, keyword error, causing reboots


Posted by chris on April 03, 2005 05:58:13

Hi guys, I just updated my snort rules today, and the "ftpbounce" keyword in the ftp rules file caused my snort system to go into a reboot cycle after the snort service stopped unexpectedly, seems my snort didn't recongnise the keyword "ftpbounce" in the ftp rules file.
I've got it sorted now, but I thought I'd let everyone know..
Cheers.
Chris

Posted by ontime on April 03, 2005 06:35:48

Just out of curiosity, what was causing the problem.

Posted by chris on April 03, 2005 16:04:56

so far I've not looked into it very deeply as I've not got the ftp service running, and it being Sunday ;-), I just got the system up and left it, but from the eventviewer on Win2003, the message was "unknown keyword 'ftpbounce'" in the ftp.rules file. That's all snort reported.

Posted by DavidG on April 04, 2005 09:35:33

I also had a problem with that rule. My system didn't crash, but snort exited with a keyword error caused by ftpbounce.

I've commented out the rule, but I'm afraid I'll have the same problem when the new set is released.

I'm running snort 2.3.2 build 12

The rule causing the problem is:

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP PORT bounce attempt"; fl
ow:to_server,established; content:"PORT"; nocase; ftpbounce; pcre:"/^PORT/smi"; classtype: misc-attack; sid:3441; rev:1;)

Posted by W1ngz on April 04, 2005 21:02:25

same here, i commented out this rule also.

Posted by chris on April 05, 2005 07:51:17

I'm was waiting to see if anyone else had the same problems, i'm glad it wasn't just me not paying attention on Sunday morning ! ;-. I also just commented out the rule and the system ran fine..I guess it might be a good idea to make a report about this.

Posted by mwatchinski on April 06, 2005 12:36:38

The ftpbounce keyword is in snort 2.4 and CVS HEAD (Both are considered beta and not production
releases).

The CURRENT rule snapshot tracks CURRENT with is currently 2.4 / CVS HEAD :). If your running 2.3
download the 2.3 snapshot as it doesn't contain ftpbounce.

We will be updating the text on snort.org in the download section to explain this.


Posted by chris on April 11, 2005 16:12:10

Cool, thanks for the pointer, I like the others just commented out the rule and had no problems otherwise, cheers for the prompt response. ;-)
site feedback | Terms of Use | Privacy Policy | forum archives ©2008 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.