[tor-relays] Relay traffic triggering snort ftp rules
Paul Pearce
pearce at cs.berkeley.edu
Fri Jun 5 00:38:06 UTC 2015
Hey everyone,
I've encountered tor relay traffic over port 21 is triggering some
(overly aggressive?) snort rules.
Our ISP recently sent us a slew of snort warnings that were triggered
by our obfsproxies creating circuits with tor relays that run on port
21 (I've confirmed this). The warnings are of the form:
ftp_pp: Telnet command on FTP command channel [**] [Classification:
Generic Protocol Command Decode] [Priority: 3]
ftp_pp: FTP response length overflow [**] [Classification: Attempted
User Privilege Gain] [Priority: 1] {TCP}
ftp_pp: Evasive Telnet command on FTP
command channel [**] [Classification: Potentially Bad Traffic] [Priority: 2]
(Lawl.)
They described the quantity as "overwhelming." I have no idea if this
rule is enabled by default or configurable in some way. I am not
familiar with snort.
Has anyone ever encountered this before? If encrypted relay traffic to
port 21 does indeed trigger these widely distributed warnings, it
might be a good idea for "best practices" to suggest avoiding relays
on this port.
Thanks.
More information about the tor-relays
mailing list