07-14-2004 11:38 PM - edited 03-09-2019 08:04 AM
We receive many alerts concerning signatures 3153 and 3154. These are all related to legitimate ftp traffic. I've studied the IP loggings, but I can't find the reason why it's triggering. One typical situation is of an FTP script that is accessing a whole list of servers to retreive or put information one after the other. There is no FW or natting in between client and server.
07-15-2004 05:50 AM
These two signatures are, by default, NOT enabled. The signatures are intended to detect an 'FTP Bounce'. In other words, a host that initiates an FTP session and specifies a different address using a the PORT command (or a different data port). This allows the host to utilize a different destination for the FTP session (a host different from the host making the FTP request or a different port).
I don't have these signatures enabled, but I would suspect that the events you are seeing are being triggered by the use of the PORT command.
07-16-2004 03:36 AM
Yes, indeed, in some of the IP logs I have, I see a port command passing by. However when I calculate the port value, then I get a normal value between 1024 and 65535. So there is no real reason to trigger. But some other clue may be that an alert always triggers twice, once on improper port and once on improper address. An alert comes always in pairs of both signatures.
On our installation apparently both signatures are by default at 'Medium' alarm level.
08-20-2004 05:29 AM
Is there anyone who can confirm me that both signatures (ftp improper address ; ftp improper port) are triggered only on the fact that a PORT command is used and not on the values used in this command ??
08-20-2004 06:31 AM
During FTP, a 'port' command can be utilized to specify the clients IP address/port from the FTP server to the client. You can actually specify any IP address/port using this command. This could allow someone to use the FTP server to perform a port scan on the clients behalf. You will notice that the signature definition for 3153 and 3154 have the BadPortCmdAddress and BadPortCmdPort boolean values set to 'true' (respectively). I would infer from their description that they look for the port command utilized in conjunction with a different IP or port, than what is valid for that FTP session.
Hope that helps.
Don
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide