Project

General

Custom queries

Profile

Actions

Bug #2527

closed

FTP file extraction only working in passive mode

Added by Carl Rotenan over 6 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Using the following rule, I'm unable to get FTP file extraction working on active mode transfers.

alert ftp-data any any -> any any (msg:"File Found within FTP and stored"; filestore; filename:"password"; ftpdata_command:stor; sid:31; rev:1;)

Both of the attached captures are downloading the same 3 files from an internet web site.

My testing was done on version 4.1.0-beta1.

I used the commands below to process the captures

suricata -v -r /root/ftp2.cap -k none
suricata -v -r /root/ftp3.cap -k none

FTP2.CAP

File extraction not working via active mode.

220 (vsFTPd 2.3.5)
USER ftp
331 Please specify the password.
PASS ftp
230 Login successful.
SYST
215 UNIX Type: L8
EPRT |2|2601:191:8500:2e00:7c0f:78e0:dc5b:f7c1|34325|
200 EPRT command successful. Consider using EPSV.
LIST
150 Here comes the directory listing.
226 Directory send OK.
EPRT |2|2601:191:8500:2e00:7c0f:78e0:dc5b:f7c1|42103|
200 EPRT command successful. Consider using EPSV.
NLST *KB.zip
150 Here comes the directory listing.
226 Directory send OK.
TYPE I
200 Switching to Binary mode.
EPRT |2|2601:191:8500:2e00:7c0f:78e0:dc5b:f7c1|60743|
200 EPRT command successful. Consider using EPSV.
RETR 100KB.zip
150 Opening BINARY mode data connection for 100KB.zip (102400 bytes).
226 Transfer complete.
EPRT |2|2601:191:8500:2e00:7c0f:78e0:dc5b:f7c1|56467|
200 EPRT command successful. Consider using EPSV.
RETR 1KB.zip
150 Opening BINARY mode data connection for 1KB.zip (1024 bytes).
226 Transfer complete.
EPRT |2|2601:191:8500:2e00:7c0f:78e0:dc5b:f7c1|48357|
200 EPRT command successful. Consider using EPSV.
RETR 512KB.zip
150 Opening BINARY mode data connection for 512KB.zip (524288 bytes).
226 Transfer complete.
QUIT
221 Goodbye.

FTP3.CAP

File extraction working using passive mode.

220 (vsFTPd 2.3.5)
USER ftp
331 Please specify the password.
PASS ftp
230 Login successful.
SYST
215 UNIX Type: L8
EPRT |2|2601:191:8500:2e00:7c0f:78e0:dc5b:f7c1|35413|
200 EPRT command successful. Consider using EPSV.
LIST
150 Here comes the directory listing.
226 Directory send OK.
EPSV 2
229 Entering Extended Passive Mode (|||24483|).
LIST
150 Here comes the directory listing.
226 Directory send OK.
EPSV 2
229 Entering Extended Passive Mode (|||26153|).
NLST *KB.zip
150 Here comes the directory listing.
226 Directory send OK.
TYPE I
200 Switching to Binary mode.
EPSV 2
229 Entering Extended Passive Mode (|||23496|).
RETR 100KB.zip
150 Opening BINARY mode data connection for 100KB.zip (102400 bytes).
226 Transfer complete.
EPSV 2
229 Entering Extended Passive Mode (|||22731|).
RETR 1KB.zip
150 Opening BINARY mode data connection for 1KB.zip (1024 bytes).
226 Transfer complete.
EPSV 2
229 Entering Extended Passive Mode (|||29649|).
RETR 512KB.zip
150 Opening BINARY mode data connection for 512KB.zip (524288 bytes).
226 Transfer complete.
QUIT
221 Goodbye.


Files

ftp2.cap (655 KB) ftp2.cap active mode Carl Rotenan, 07/08/2018 11:22 PM
ftp3.cap (649 KB) ftp3.cap passive mode Carl Rotenan, 07/08/2018 11:22 PM

Related issues 1 (0 open1 closed)

Related to Suricata - Feature #2459: Support of FTP active modeClosedJeff LucovskyActions
#1

Updated by Victor Julien over 6 years ago

  • Priority changed from High to Normal
  • Target version changed from 4.1beta1 to TBD
  • Effort set to low
  • Difficulty set to medium
#2

Updated by Victor Julien almost 6 years ago

  • Status changed from New to Assigned
  • Assignee set to Jeff Lucovsky
  • Target version changed from TBD to 5.0beta1
#3

Updated by Victor Julien almost 6 years ago

#4

Updated by Victor Julien over 5 years ago

  • Status changed from Assigned to Closed
  • Effort deleted (low)
  • Difficulty deleted (medium)
Actions

Also available in: Atom PDF