FTP Improper Port alarm in IEV??

ewieczorek · ‎06-19-2003

Has anyone ever seen this "FTP Improper Port" alarm?

It appeared when one of my users used the WSFTP application.

Any ideas on how to troubleshoot this? Should I even be worried about it?

Any thoughts would be much appreciated.

Thank you!

mcerha · ‎06-19-2003

This is a pretty specific alarm. It fires when a client issues an FTP PORT command specifying a TCP port number < 1024 or > 65355. This is related to FTP Bounce types of attacks. It is possible that the WSFTP client application is using a port < 1024 for the incoming DATA connection from the FTP server causing a false positive alarm. This is not the general practice, as ports < 1024 are traditionally considered privileged. A traffic trace of the FTP session should clear it up. If you know that the FTP session is normal traffic, I'd recommend creating a filter for the client causing the alarms.

ewieczorek · ‎06-19-2003

Thanks for the response!

I captured syslog messages from my PIX 515 and came up with these entries for this FTP session..

Built outbound TCP connection 1243246 for outside:206.222.217.2/21 (206.222.217.2/21) to inside:xx.xx.xxx.xxx/3275

Built outbound TCP connection 1243256 for outside:206.222.217.2/53782 (206.222.217.2/53782) to inside:xx.xx.xxx.xxx/3276

Teardown TCP connection 1243256 for outside:206.222.217.2/53782 to inside:xx.xx.xxx.xxx/3276

Would this be it?? I would assume that this has to do with the xlate table on the PIX??

Let me know what you think.

Thanks!