topic Re: Invalid FTP Command on smtp connection in Network Security

Invalid FTP Command on smtp connection

matthew.goli1 — Fri, 21 Feb 2020 15:49:08 GMT

Hello,

we have two SMTP email gateways published on the internet, but we are getting a lot of alerts from Firepower about an invlaid FTP command going to these SMTP servers:

[125:2:2] ftp_pp: Invalid FTP command [Impact: Potentially Vulnerable] From "p6-ips1" at Sun May 27 13:23:47 2018 UTC [Classification: Potentially Bad Traffic] [Priority: 2] {tcp} 185.55.191.197:63738 (united kingdom)->10.243.252.84:25 (unknown)

As you can see in the alert the destination port is 25 for SMTP, so why is this detecting as an FTP connection and triggering this invalid FTP command alert?

Re: Invalid FTP Command on smtp connection

Marvin Rhoads — Sun, 27 May 2018 15:09:43 GMT

Drill all the way down into the event to look at the packet being sent. It could be an ftp command embedded/obfuscated in the smtp protocol.

Re: Invalid FTP Command on smtp connection

matthew.goli1 — Sun, 27 May 2018 15:25:32 GMT

Hi,

i'm attaching some screen shots. it says the offending command is:

Re: Invalid FTP Command on smtp connection

Marvin Rhoads — Sun, 27 May 2018 17:14:48 GMT

That looks like legitimate smtp traffic. (smtp EHLO request)

Could it be that your objects have been incorrectly modified? For instance, look under Objects, Object Management, Variable Set and ensure that tcp/25 (smtp) has not been added to the ftp ports listing.

Re: Invalid FTP Command on smtp connection

matthew.goli1 — Mon, 28 May 2018 14:07:45 GMT

Hello,

Our default variable set has FTP_PORTS set to 21, 2100 and 3535

[cid:image001.png@01D3F663.5055ECC0]

We do not have an variable for SMTP ports.

Re: Invalid FTP Command on smtp connection

Marvin Rhoads — Mon, 28 May 2018 14:09:54 GMT

Hmm. that covers the obvious reasons why I could think this might happen.

If you have a support contract I'd recommend opening a TAC case.