FTP Client Configuration Options

99.

max_resp_len $<$number$>$

This specifies the maximum allowed response length to an FTP command accepted by the client. It can be used as a basic buffer overflow detection.

100.

bounce $<$yes|no$>$

This option turns on detection and alerting of FTP bounce attacks. An FTP bounce attack occurs when the FTP PORT command is issued and the specified host does not match the host of the client.

101.

bounce_to $<$ CIDR,[port$\vert$portlow,porthi] $>$

When the bounce option is turned on, this allows the PORT command to use the IP address (in CIDR format) and port (or inclusive port range) without generating an alert. It can be used to deal with proxied FTP connections where the FTP data channel is different from the client.

A few examples:

• Allow bounces to 192.162.1.1 port 20020 - ie, the use of PORT 192,168,1,1,78,52.

      bounce_to { 192.168.1.1,20020 }
  

• Allow bounces to 192.162.1.1 ports 20020 through 20040 - ie, the use of PORT 192,168,1,1,78,xx, where xx is 52 through 72 inclusive.

      bounce_to { 192.168.1.1,20020,20040 }
  

• Allow bounces to 192.162.1.1 port 20020 and 192.168.1.2 port 20030.

      bounce_to { 192.168.1.1,20020 192.168.1.2,20030 }
  

• Allows bounces to IPv6 address fe8::5 port 59340.

      bounce_to { fe8::5,59340 }
  

102.

telnet_cmds $<$yes|no$>$

This option turns on detection and alerting when telnet escape sequences are seen on the FTP command channel. Injection of telnet escape sequences could be used as an evasion attempt on an FTP command channel.

103.

ignore_telnet_erase_cmds $<$yes|no$>$

This option allows Snort to ignore telnet escape sequences for erase character (TNC EAC) and erase line (TNC EAL) when normalizing FTP command channel. Some FTP clients do not process those telnet escape sequences.