Possible false postive 12900 Unrecognized FTP Command

john.stark · ‎12-04-2006

Signature tripping on the following contents. Is this an invalid ftp command? or does the signature need tunning?

0x0000 0000 0014 005e 0029 0047 0045 0000 0018 0019 000a 0070 0000 0008 0000 0045 0000 ....^)GE........p......E..

0x0010 0000 003a fff7 0069 0040 0000 0034 0006 005f ffc7 0047 0010 001b 0033 000a ffc8 ..:..i@..4.._..G....3....

0x0020 ff82 ff82 000a ff82 0000 0015 002e 001d ff9d ffc4 0065 ff94 0005 ffd9 0050 0018 ...................e......P..

0x0030 0061 0008 ffd6 ffd0 0000 0000 0041 0055 0054 0048 0020 004b 0045 0052 0042 0045 a..........AUTH KERBE

0x0040 0052 004f 0053 005f 0056 0035 000d 000a ROS_V5....

mhellman · ‎12-04-2006

AFAICT, "AUTH Kerberos_V5" is valid. see:

http://www.ietf.org/rfc/rfc2228.txt

wsulym · ‎12-05-2006

So 129xx sigs... The "recognized" commands are:

user, pass, acct, cwd, cdup, smnt, quit, rein, port, pasv, type, stru, mode, retr, stor, stou, appe, allo, rest, rnfr, rnto, abor, dele, rmd, mkd, pwd, list, nlst, site, syst, stat, help, noop

Which parallel rfc-959. Anything not one of those, should fire 12900, the unrecignized ftp command sig.

RFC 2228 are security extensions to the FTP specifications RFC 959. So while they're legal for some FTP servers, the commands aren't required.

We can argue it either way, and rather than go down that rabbithole, I've provided the list of recognized commands.

john.stark · ‎12-05-2006

What would you recommend for my environment auth is a normal command?

Looks like I am also seeing trigger packets for auth tls.

Thanks

John

triggerPacket:

000000 00 18 19 0A 70 00 00 14 F2 92 F8 1A 08 00 45 00 ....p.........E.

000010 00 32 DA B6 40 00 71 06 69 4E C0 8B 4F 01 43 80 .2..@.q.iN..O.C.

000020 72 B4 C7 E2 00 15 ED 0C D2 E2 79 29 C7 D1 50 18 r.........y)..P.

000030 FF DB 11 F4 00 00 41 55 54 48 20 54 4C 53 0D 0A ......AUTH TLS..