ISC Update: Fixed search feature. Please test and report problems. Thanks!

New ISC Feature: One Liner "event notes"

Published: 2009-10-04
Last Updated: 2009-10-04 13:09:42 UTC
by Johannes Ullrich (Version: 1)
2 comment(s)

We are going to introduce a new feature this weekend: One liner "event notes". These notes are intended for cases in which we try to point out something briefly, which doesn't deserve or need a full diary. For example an outage, or a patch for some software.

Right now, the notifcations are not sent for these "one liners". In the future, I may add an option to send them.

Please use our comment form to report problems with these one liners. I am also interested in anybody who has issues using the OpenID login. Right now, I am aware with some providers having problems, but I need a few more samples. If you attempted to use an OpenID, but it failed, please let me know the Open ID you used and how it failed.



Johannes B. Ullrich, Ph.D.
SANS Technology Institute

2 comment(s)

Samba Security Information Disclosure and DoS

Published: 2009-10-04
Last Updated: 2009-10-04 12:15:47 UTC
by Guy Bruneau (Version: 1)
0 comment(s)

Samba released several updates to fix some security vulnerabilities. Anyone running Samba should take a look at each of the bulletin below and seriously consider upgrading which can be downloaded here.


Information disclosure by setuid mount.cifs - affecting all versions

Remote DoS against smbd on authenticated connections - affecting all versions

Misconfigured /etc/passwd file may share folders unexpectedly - affecting version > 3.0.11


Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org

0 comment(s)
TEST: Soon to come... one liner news stories about outages and other "small events"

Cyber Security Awareness Month - Day 4 - Port 20/21 - FTP-data/FTP

Published: 2009-10-04
Last Updated: 2009-10-04 00:10:19 UTC
by Guy Bruneau (Version: 1)
1 comment(s)

First proposed in April 1971, the File Transfer Protocol is one of the oldest protocols of the Internet. According to RFC 959, "The objectives of FTP are 1) to promote sharing of files (computer programs and/or data), 2) to encourage indirect or implicit (via programs) use of remote computers, 3) to shield a user from variations in file storage systems among hosts, and 4) to transfer data reliably and efficiently." The FTP protocol is somewhat complex and uses three methods to transfer files. The one thing to remember is the choice of connection method is initiated by the client and the server has the option to refuse to use it at which point the connection will fail.

Active FTP Method

In this method, the FTP client opens a dynamic port and the FTP server connects to the client (the server is the “active” participant) on a random port chosen by the client who waits for a connection from the FTP server. Since the client decides the method, it will send a “PORT” command containing the IP address and port where the server needs to connect.

When you examine a packet trace, you will notice the client sending the information to the server with the IP and Port like this (h1,h2,h3,h4,p1,p2) – where the client sends the server the IP address and the port. For example, the client sends IP and Port (192,168,1,102,4,2) indicating the client is listening on IP using TCP port 1026 ((4 * 256) + 2)) after which the transfer will start using the new port.

Passive FTP Method

In this method, the FTP client connects to the server on a dynamic port chosen by the server. Again, since the client decides the method, it will send a “PASV” command to initiate the Passive transfer and the server respond with something like "227 Entering Passive Mode (192,168,60,11,192,52)"by sending a message containing the IP address and port (using the same syntax used in Active FTP).

Extended Passive Mode - IPv6 and NAT

With the release of RFC 2428 in September 1998, the Extended Passive Mode was added to IPv6 and NAT as another method for FTP transfer. In this mode, the FTP server operates exactly the same as passive mode. The only difference is that it only transmits the port number (not broken into high and low bytes) and the client is to assume it connects to the same IP address it was originally connected to.

The basic concepts of FTP transfer is where the client opens a control connection to the server on TCP port 21, and specifies a source port as the source to which the FTP server should respond (IP and Port information). The FTP server sends its response using port 21. At this point, the server and client negotiate the data transfer parameters. The FTP server opens a second connection for data on port 20 to the client. The client will then responds on the data port to complete the connection and data transfer begins.

This protocol is insecure for transferring files because everything is sent in the clear where user names, passwords, FTP commands and transferred files can be captured using a packet sniffer. An alternative is to use the Secure File Transfer Protocol (SFTP) to protect the information in transit.


Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org

Keywords: FTP
1 comment(s)


Diary Archives