Snort - the de facto standard for intrusion detection/prevention
the de facto standard in IPS  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Snort Downloads Snort Rules Snort Docs Snort Training Snort Forums Snort Community Snort Store
Search Site
Search Rules
Account
email
password
not registered?
can't login?
user preferences
next up previous contents
Next: Examples/Default Configuration from snort.conf Up: FTP/Telnet Preprocessor Previous: Example IP specific FTP   Contents

FTP Client Configuration Options

58.
max_resp_len $<$number$>$

This specifies the maximum allowed response length to an FTP command accepted by the client. It can be used as a basic buffer overflow detection.

59.
bounce $<$yes|no$>$

This option turns on detection and alerting of FTP bounce attacks. An FTP bounce attack occurs when the FTP PORT command is issued and the specified host does not match the host of the client.

60.
bounce_to $<$ CIDR,[port$\vert$portlow,porthi] $>$

When the bounce option is turned on, this allows the PORT command to use the IP address (in CIDR format) and port (or inclusive port range) without generating an alert. It can be used to deal with proxied FTP connections where the FTP data channel is different from the client.

A few examples:

  • Allow bounces to 192.162.1.1 port 20020 - ie, the use of PORT 192,168,1,1,78,52. 

    bounce_to { 192.168.1.1,20020 }

  • Allow bounces to 192.162.1.1 ports 20020 through 20040 - ie, the use of PORT 192,168,1,1,78,xx, where xx is 52 through 72 inclusive. 

    bounce_to { 192.168.1.1,20020,20040 }

  • Allow bounces to 192.162.1.1 port 20020 and 192.168.1.2 port 20030. 

    bounce_to { 192.168.1.1,20020 192.168.1.2,20030}

61.
telnet_cmds $<$yes|no$>$

This option turns on detection and alerting when telnet escape sequences are seen on the FTP command channel. Injection of telnet escape sequences could be used as an evasion attempt on an FTP command channel.

next up previous contents
Next: Examples/Default Configuration from snort.conf Up: FTP/Telnet Preprocessor Previous: Example IP specific FTP   Contents
Steven Sturges 2008-04-01
site feedback | Terms of Use | Privacy Policy | forum archives ©2008 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.