Invalid FTP Command on smtp connection

matthew.goli1 · ‎05-27-2018

Hello,

we have two SMTP email gateways published on the internet, but we are getting a lot of alerts from Firepower about an invlaid FTP command going to these SMTP servers:

[125:2:2] ftp_pp: Invalid FTP command [Impact: Potentially Vulnerable] From "p6-ips1" at Sun May 27 13:23:47 2018 UTC [Classification: Potentially Bad Traffic] [Priority: 2] {tcp} 185.55.191.197:63738 (united kingdom)->10.243.252.84:25 (unknown)

As you can see in the alert the destination port is 25 for SMTP, so why is this detecting as an FTP connection and triggering this invalid FTP command alert?

Marvin Rhoads · ‎05-27-2018

Drill all the way down into the event to look at the packet being sent. It could be an ftp command embedded/obfuscated in the smtp protocol.

matthew.goli1 · ‎05-27-2018

Hi,

i'm attaching some screen shots. it says the offending command is:

Marvin Rhoads · ‎05-27-2018

That looks like legitimate smtp traffic. (smtp EHLO request)

Could it be that your objects have been incorrectly modified? For instance, look under Objects, Object Management, Variable Set and ensure that tcp/25 (smtp) has not been added to the ftp ports listing.

matthew.goli1 · ‎05-28-2018

Hello,

Our default variable set has FTP_PORTS set to 21, 2100 and 3535

[cid:image001.png@01D3F663.5055ECC0]

We do not have an variable for SMTP ports.

Marvin Rhoads · ‎05-28-2018

Hmm. that covers the obvious reasons why I could think this might happen.

If you have a support contract I'd recommend opening a TAC case.