ClearFoundation Tracker - ClearOS
View Issue Details
0022591ClearOSapp-intrusion-detection - Intrusion Detectionpublic2018-12-19 08:222019-02-22 22:03
NickH 
dloper 
normalminoralways
closedsuspended 
7.6.0 Updates 
7.6.0 
0022591: Snort and the IDS rules do not cover port 2121 or 989/990
In /etc/short.conf the variable FTP_PORTS only covers ports 21, 2100 and 3535 - however it does not seem to be used anywhere.

Similarly, further down snort.conf, in the "FTP / Telnet normalization and anomaly detection" only the same ports are covered.

Both need to be extended to cover 2121 (flexshares) and, if the rules can detect in FTPS streams, 898 (or 990).

At the same time, the ClearCenter ftp rules /etc/snort.d/rules/clearcenter/ftp.rules and any other ClearCenter supplied rules covering FTP such as attack_response.rules,current_events.rules, exploit.rules, info.rules, policy.rules, scan.rules and trojan.rules need to be adjusted to use $FTP_PORTS instead of simply port 21.
No tags attached.
Issue History
2018-12-19 08:22NickHNew Issue
2019-02-22 22:03dloperNote Added: 0008901
2019-02-22 22:03dloperStatusnew => closed
2019-02-22 22:03dloperAssigned To => dloper
2019-02-22 22:03dloperResolutionopen => suspended

Notes
(0008901)
dloper   
2019-02-22 22:03   
Migrated to: https://gitlab.com/clearos/clearfoundation/app-intrusion-detection/issues/1 [^]