[tor-relays] Relay traffic triggering snort ftp rules

Paul Pearce pearce at cs.berkeley.edu
Fri Jun 5 00:38:06 UTC 2015

Hey everyone,

I've encountered tor relay traffic over port 21 is triggering some
(overly aggressive?) snort rules.

Our ISP recently sent us a slew of snort warnings that were triggered
by our obfsproxies creating circuits with tor relays that run on port
21 (I've confirmed this). The warnings are of the form:

ftp_pp: Telnet command on FTP command channel [**] [Classification:
Generic Protocol Command Decode] [Priority: 3]
ftp_pp: FTP response length overflow [**] [Classification: Attempted
User Privilege Gain] [Priority: 1] {TCP}
ftp_pp: Evasive Telnet command on FTP
command channel [**] [Classification: Potentially Bad Traffic] [Priority: 2]


They described the quantity as "overwhelming." I have no idea if this
rule is enabled by default or configurable in some way. I am not
familiar with snort.

Has anyone ever encountered this before? If encrypted relay traffic to
port 21 does indeed trigger these widely distributed warnings, it
might be a good idea for "best practices" to suggest avoiding relays
on this port.


More information about the tor-relays mailing list