Phone Lines icon GFI Support Home Sign in
Start a conversation
  1. GFI Support
  2. GFI Support - Administration
  3. Articles

Resolving IPS Packet Drop Error: FTP response length overflow

Overview

 

When trying to access the FTP server, the connection might drop from the Intrusion Prevention System (IPS) resulting in the following error log:

[03/Mar/2020 20:00:00] IPS: Packet drop, severity: Medium, Rule ID: 125:6 ftp_pp: FTP response length overflow, proto:TCP, ip/port:123.456.789.10:11 (ftp.server.com) -> 987.654.432.10:50000 (control.domain.local, user:username@domain.local)

This article provides information about the error and outlines the steps on how to resolve it.

 

Root Cause

 

The welcome message from the FTP server exceeded the character limit of 256 predefined in Kerio Control. The welcome message was way above 1000 characters. The example is below:

220-*****************************************************************
220-NOTICE TO USERS
220-
220-This system is the property of Company X. It is for authorized use only. Users (authorized or unauthorized) have no explicit or implicit expectation of privacy.
220-
220-Any or all uses of this system and all files on this system may be intercepted, monitored, recorded, copied, audited, inspected, and disclosed to authorized personnel and/or law enforcement personnel. By using this system, the user consents to such interception, monitoring, recording, copying, auditing, inspection, and disclosure at the discretion of authorized personnel.
220-
220-Unauthorized or improper use of this system may result in disciplinary action and civil and criminal penalties. By continuing to use this system you indicate your awareness of and consent to these terms and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the conditions stated in this warning.
220-*****************************************************************
220-
220

 

Process

 

  1. Enable SSH, and log in to the Kerio Control console.

  2. Run the following command to make the system read-writable:

    mount -o rw,remount /

  3. Open the snort.conf file, which is located in the /opt/kerio/winroute/snort/etc directory.

  4. Increase the value of the max_resp_len parameter in the preprocessor ftp_telnet_protocol section:

    mceclip0.png

  5. Save all the changes you have made and restart Kerio Control:

    /etc/boxinit.d/60winroute restart

 

Verification

 

The FTP connection should be successfully established without the error.

 

 

back to top

Choose files or drag and drop files
Was this article helpful?
Yes
No

  1. Priyanka Bhotika

  2. Posted
  3. Updated

Comments