Hey everyone,
I've encountered tor relay traffic over port 21 is triggering some (overly aggressive?) snort rules.
Our ISP recently sent us a slew of snort warnings that were triggered by our obfsproxies creating circuits with tor relays that run on port 21 (I've confirmed this). The warnings are of the form:
ftp_pp: Telnet command on FTP command channel [**] [Classification: Generic Protocol Command Decode] [Priority: 3] ftp_pp: FTP response length overflow [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} ftp_pp: Evasive Telnet command on FTP command channel [**] [Classification: Potentially Bad Traffic] [Priority: 2]
(Lawl.)
They described the quantity as "overwhelming." I have no idea if this rule is enabled by default or configurable in some way. I am not familiar with snort.
Has anyone ever encountered this before? If encrypted relay traffic to port 21 does indeed trigger these widely distributed warnings, it might be a good idea for "best practices" to suggest avoiding relays on this port.
Thanks.