06-19-2003 08:22 AM - edited 03-09-2019 03:44 AM
Has anyone ever seen this "FTP Improper Port" alarm?
It appeared when one of my users used the WSFTP application.
Any ideas on how to troubleshoot this? Should I even be worried about it?
Any thoughts would be much appreciated.
Thank you!
06-19-2003 08:49 AM
This is a pretty specific alarm. It fires when a client issues an FTP PORT command specifying a TCP port number < 1024 or > 65355. This is related to FTP Bounce types of attacks. It is possible that the WSFTP client application is using a port < 1024 for the incoming DATA connection from the FTP server causing a false positive alarm. This is not the general practice, as ports < 1024 are traditionally considered privileged. A traffic trace of the FTP session should clear it up. If you know that the FTP session is normal traffic, I'd recommend creating a filter for the client causing the alarms.
06-19-2003 08:56 AM
Thanks for the response!
I captured syslog messages from my PIX 515 and came up with these entries for this FTP session..
Built outbound TCP connection 1243246 for outside:206.222.217.2/21 (206.222.217.2/21) to inside:xx.xx.xxx.xxx/3275
Built outbound TCP connection 1243256 for outside:206.222.217.2/53782 (206.222.217.2/53782) to inside:xx.xx.xxx.xxx/3276
Teardown TCP connection 1243256 for outside:206.222.217.2/53782 to inside:xx.xx.xxx.xxx/3276
Would this be it?? I would assume that this has to do with the xlate table on the PIX??
Let me know what you think.
Thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide