[7.480][BUG][NOTABUG] ips -ftp server fails positive

Hi Friends !

I am using ftp server on suse sles 10 64bit pureftp server (dmz) with astaro
as earlier i face some problem (with version 7.470) after update i am getting ips alerts ,i am not able to acess server locally (ftp://ftp.***x.*** -fqdn) but other people are able to acess it and able to send files (check )

file transfer not check with 7.480 /check with 7.470 but could not get log of file transfer

pls check image

Thanks

update/edit :2009:08:12-14:29:59 ace75 snort[4393]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="LAND Attack, sameip detected" group="242" srcip="121.247.xx.***" dstip="121.247.xx.***" proto="6" srcport="21" dstport="49918" sid="200012" class="" priority="0" generator="1" msgid="0"
2009:08:12-14:30:00 ace75 snort[4393]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="LAND Attack, sameip detected" group="242" srcip="121.247.xx.***" dstip="121.247.xx.***" proto="6" srcport="21" dstport="49918" sid="200012" class="" priority="0" generator="1" msgid="0"

yes its same ip but why it should give error source is 1.2.3.4 dest is 1.2.3.4 @home with static ip ftp server is dmz in same lan

edit 2:::::after adding disble rule it work ::::

2009:08:14-22:54:57 ace75 snort[14224]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="(ftp_telnet) FTP command parameters were malformed" group="0" srcip="10.242.1.2" dstip="192.168.2.250" proto="6" srcport="2188" dstport="21" sid="0" class="" priority="3" generator="125" msgid="1" but here it donot show public ip

ftp server work

23:06:52 Connection using NAT TCP
10.242.1.2 : 2278
→
121.247.65.116 : 21

[SYN] len=48 ttl=128 tos=0x00 srcmac=00:00:00:00:00:00 dstmac=00:00:00:00:00:00
23:06:52 FTP data connection TCP
10.242.1.2 : 2279
→
192.168.2.250 : 16759

[SYN] len=48 ttl=128 tos=0x00 srcmac=00:00:00:00:00:00 dstmac=00:00:00:00:00:00
23:06:53 FTP data connection TCP
10.242.1.2 : 2280
→
192.168.2.250 : 59906

[SYN] len=48 ttl=128 tos=0x00 srcmac=00:00:00:00:00:00 dstmac=00:00:00:00:00:00

Parents

0 ee-tra over 16 years ago

Works as intended. Prevents Land Attack ( src eq dst ip).
For some setups you have to disable this rule.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 utm_kid over 16 years ago in reply to ee-tra

Hi,

why source show public ip ?
it suppose to be private ip

please explain if i am wrong

Thanks

edit
ftp log show correct ip but cant connect to server gives error ,when i connect my wan/public ip 121.247.x.x. in bridge mode it show source and destination ip 121.247.x.x

pls see log

Thanks
- ftpla.txt
- View
- Hide
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 utm_kid over 16 years ago in reply to ee-tra

Hi,

why source show public ip ?
it suppose to be private ip

please explain if i am wrong

Thanks

edit
ftp log show correct ip but cant connect to server gives error ,when i connect my wan/public ip 121.247.x.x. in bridge mode it show source and destination ip 121.247.x.x

pls see log

Thanks
- ftpla.txt
- View
- Hide
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

No Data