Overview
When trying to access the FTP server, the connection might drop from the Intrusion Prevention System (IPS) resulting in the following error log:
IPS: Packet drop, severity: Medium, Rule ID: 125:6 ftp_pp: FTP response length overflow, proto:TCP, ip/port:123.456.789.10:11 (ftp.server.com) -> 987.654.432.10:50000 (control.domain.local, user:username@domain.local) |
This article provides information about the error and outlines the steps on how to resolve it.
Diagnosis
The welcome message from the FTP server exceeded the character limit of 256 predefined in Kerio Control. The welcome message was way above 1000 characters. The example is below:
220-***************************************************************** 220-NOTICE TO USERS 220- 220-This system is the property of Company X. It is for authorized use only. Users (authorized or unauthorized) have no explicit or implicit expectation of privacy. 220- 220-Any or all uses of this system and all files on this system may be intercepted, monitored, recorded, copied, audited, inspected, and disclosed to authorized personnel and/or law enforcement personnel. By using this system, the user consents to such interception, monitoring, recording, copying, auditing, inspection, and disclosure at the discretion of authorized personnel. 220- 220-Unauthorized or improper use of this system may result in disciplinary action and civil and criminal penalties. By continuing to use this system you indicate your awareness of and consent to these terms and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the conditions stated in this warning. 220-***************************************************************** 220- 220 |
Solution
-
Run the following command to make the system read-writable:
mount -o rw,remount /
-
Open the snort.conf file, which is located in the
/opt/kerio/winroute/snort/etc
directory. -
Increase the value of the
max_resp_len
parameter in thepreprocessor ftp_telnet_protocol
section to the desired value (i.e. 2048): -
Save all the changes you have made.
Important: once Kerio Control is rebooted or powered off, the changes are reverted back to the original value.
Testing
The FTP connection should be successfully established without the error.