Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
506
Views
0
Helpful
2
Replies

Detecting non-standard ftp usage (!= tcp 21) using IDSM2 5.0 & CN-MARS v3.4

rsumidacisco
Level 1
Level 1

‎10-17-2005 01:31 PM - edited ‎03-10-2019 01:41 AM

Hello,

We recently installed our IDSMs and a MARS box to monitor our core traffic. I'm trying to set up a MARS "User Inspection Rule" to notify me when there is FTP traffic on a port other than port 21. Is there an easy way to do this?

I don't see any IPS sigs that will trigger on normal FTP events(e.g. open data connection success, STOR and RETR request, etc.) I'm sure someone out there has already set up something like this before? Any help is appreciated.

Ryan

Labels:
0 Helpful
2 Replies 2

ibanezm
Level 1
Level 1

‎10-18-2005 10:49 AM

There are IPS sigs that trigger on normal FTP events such as STOR and RETR. Check out 3156 and 3155. You can configure these (and any other ftp sig) to fire on a different port besides or instead of 21.

0 Helpful

mhellman
Level 7
Level 7

‎10-18-2005 12:58 PM

Take a look at sig 3171 to get a feel for how a custom signature might look, then create your own. To be honest, I've not done a lot of custom sigs...but looking on every port for ftp-like behavior seems like it might put quite a burden on your sensor.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card