Snort - the de facto standard for intrusion detection/prevention
the de facto standard in IPS  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Snort Downloads Snort Rules Snort Docs Snort Training Snort Forums Snort Community Snort Store
Search Site
Search Rules
Account
email
password
not registered?
can't login?
user preferences
next up previous contents
Next: FTP Client Configuration Up: FTP/Telnet Preprocessor Previous: Example IP specific FTP   Contents

FTP Server Configuration Options

49.
ports $\{ <$port$> [<$port$> <...>] \}$

This is how the user configures which ports to decode as FTP command channel traffic. Typically port 21 will be included.

50.
print_cmds

During initialization, this option causes the preprocessor to print the configuration for each of the FTP commands for this server.

51.
ftp_cmds $\{ cmd [cmd] \}$

The preprocessor is configured to alert when it sees an FTP command that is not allowed by the server.

This option specifies a list of additional commands allowed by this server, outside of the default FTP command set as specified in RFC 959. This may be used to allow the use of the 'X' commands identified in RFC 775, as well as any additional commands as needed.

For example: 

ftp_cmds { XPWD XCWD XCUP XMKD XRMD }

52.
def_max_param_len $<$number$>$

This specifies the default maximum allowed parameter length for an FTP command. It can be used as a basic buffer overflow detection.

53.
alt_max_param_len $<$number$>$ $\{ cmd [cmd] \}$

This specifies the maximum allowed parameter length for the specified FTP command(s). It can be used as a more specific buffer overflow detection. For example the USER command - usernames may be no longer than 16 bytes, so the appropriate configuration would be: 

alt_max_param_len 16 { USER }

54.
chk_str_fmt $\{ cmd [cmd] \}$

This option causes a check for string format attacks in the specified commands.

55.
cmd_validity cmd $<$ fmt $>$

This option specifies the valid format for parameters of a given command.

fmt must be enclosed in $<>$'s and may contain the following:

Value Description
int Parameter must be an integer
number Parameter must be an integer between 1 and 255
char _chars Parameter must be a single character, one of _chars
date _datefmt Parameter follows format specified, where:
# Number
C Character
$[]$ optional format enclosed
$\vert$ OR
$\{\}$ choice of options
other literal (ie, . + -)
 
string Parameter is a string (effectively unrestricted)
host_port Parameter must be a host/port specified, per RFC 959
$\{\}$, $\vert$ One of choices enclosed within, separated by $\vert$
$[]$ Optional value enclosed within

Examples of the cmd_validity option are shown below. These examples are the default checks, per RFC 959 and others performed by the preprocessor. 

cmd_validity MODE <char SBC>
cmd_validity STRU <char FRP>
cmd_validity ALLO < int [ char R int ] >
cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } >
cmd_validity PORT < host_port >

A cmd_validity line can be used to override these defaults and/or add a check for other commands. 

# This allows additional modes, including mode Z which allows for
# zip-style compression.
cmd_validity MODE < char ASBCZ >

# Allow for a date in the MDTM command.
cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string >

MDTM is an off case that is worth discussing.

While not part of an established standard, certain FTP servers accept MDTM commands that set the modification time on a file. The most common among servers that do, accept a format using YYYYMMDDHHmmss[.uuu]. Some others accept a format using YYYYMMDDHHmmss[+|-]TZ format. The example above is for the first case (time format as specified in http://www.ietf.org/internet-drafts/draft-ietf-ftpext-mlst-16.txt)

To check validity for a server that uses the TZ format, use the following: 

cmd_validity MDTM < [ date nnnnnnnnnnnnnn[{+|-}n[n]] ] string >

56.
telnet_cmds $<$yes$\vert$no$>$

This option turns on detection and alerting when telnet escape sequences are seen on the FTP command channel. Injection of telnet escape sequences could be used as an evasion attempt on an FTP command channel.

57.
data_chan

This option causes the rest of snort (rules, other preprocessors) to ignore FTP data channel connections. Using this option means that NO INSPECTION other than TCP state will be performed on FTP data transfers. It can be used to improve performance, especially with large file transfers from a trusted source. If your rule set includes virus-type rules, it is recommended that this option not be used.

next up previous contents
Next: FTP Client Configuration Up: FTP/Telnet Preprocessor Previous: Example IP specific FTP   Contents
Steven Sturges 2008-04-01
site feedback | Terms of Use | Privacy Policy | forum archives ©2008 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.