Bug #2527
closedFTP file extraction only working in passive mode
Description
Using the following rule, I'm unable to get FTP file extraction working on active mode transfers.
alert ftp-data any any -> any any (msg:"File Found within FTP and stored"; filestore; filename:"password"; ftpdata_command:stor; sid:31; rev:1;)
Both of the attached captures are downloading the same 3 files from an internet web site.
My testing was done on version 4.1.0-beta1.
I used the commands below to process the captures
suricata -v -r /root/ftp2.cap -k none
suricata -v -r /root/ftp3.cap -k none
FTP2.CAP
File extraction not working via active mode.
220 (vsFTPd 2.3.5)
USER ftp
331 Please specify the password.
PASS ftp
230 Login successful.
SYST
215 UNIX Type: L8
EPRT |2|2601:191:8500:2e00:7c0f:78e0:dc5b:f7c1|34325|
200 EPRT command successful. Consider using EPSV.
LIST
150 Here comes the directory listing.
226 Directory send OK.
EPRT |2|2601:191:8500:2e00:7c0f:78e0:dc5b:f7c1|42103|
200 EPRT command successful. Consider using EPSV.
NLST *KB.zip
150 Here comes the directory listing.
226 Directory send OK.
TYPE I
200 Switching to Binary mode.
EPRT |2|2601:191:8500:2e00:7c0f:78e0:dc5b:f7c1|60743|
200 EPRT command successful. Consider using EPSV.
RETR 100KB.zip
150 Opening BINARY mode data connection for 100KB.zip (102400 bytes).
226 Transfer complete.
EPRT |2|2601:191:8500:2e00:7c0f:78e0:dc5b:f7c1|56467|
200 EPRT command successful. Consider using EPSV.
RETR 1KB.zip
150 Opening BINARY mode data connection for 1KB.zip (1024 bytes).
226 Transfer complete.
EPRT |2|2601:191:8500:2e00:7c0f:78e0:dc5b:f7c1|48357|
200 EPRT command successful. Consider using EPSV.
RETR 512KB.zip
150 Opening BINARY mode data connection for 512KB.zip (524288 bytes).
226 Transfer complete.
QUIT
221 Goodbye.
FTP3.CAP
File extraction working using passive mode.
220 (vsFTPd 2.3.5)
USER ftp
331 Please specify the password.
PASS ftp
230 Login successful.
SYST
215 UNIX Type: L8
EPRT |2|2601:191:8500:2e00:7c0f:78e0:dc5b:f7c1|35413|
200 EPRT command successful. Consider using EPSV.
LIST
150 Here comes the directory listing.
226 Directory send OK.
EPSV 2
229 Entering Extended Passive Mode (|||24483|).
LIST
150 Here comes the directory listing.
226 Directory send OK.
EPSV 2
229 Entering Extended Passive Mode (|||26153|).
NLST *KB.zip
150 Here comes the directory listing.
226 Directory send OK.
TYPE I
200 Switching to Binary mode.
EPSV 2
229 Entering Extended Passive Mode (|||23496|).
RETR 100KB.zip
150 Opening BINARY mode data connection for 100KB.zip (102400 bytes).
226 Transfer complete.
EPSV 2
229 Entering Extended Passive Mode (|||22731|).
RETR 1KB.zip
150 Opening BINARY mode data connection for 1KB.zip (1024 bytes).
226 Transfer complete.
EPSV 2
229 Entering Extended Passive Mode (|||29649|).
RETR 512KB.zip
150 Opening BINARY mode data connection for 512KB.zip (524288 bytes).
226 Transfer complete.
QUIT
221 Goodbye.
Files