Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
644
Views
6
Helpful
4
Replies

FTP Improper Port or Address false positives

jodr
Level 1
Level 1

‎07-14-2004 11:38 PM - edited ‎03-09-2019 08:04 AM

We receive many alerts concerning signatures 3153 and 3154. These are all related to legitimate ftp traffic. I've studied the IP loggings, but I can't find the reason why it's triggering. One typical situation is of an FTP script that is accessing a whole list of servers to retreive or put information one after the other. There is no FW or natting in between client and server.

Labels:
0 Helpful
4 Replies 4

dblairii
Level 1
Level 1

‎07-15-2004 05:50 AM

These two signatures are, by default, NOT enabled. The signatures are intended to detect an 'FTP Bounce'. In other words, a host that initiates an FTP session and specifies a different address using a the PORT command (or a different data port). This allows the host to utilize a different destination for the FTP session (a host different from the host making the FTP request or a different port).

I don't have these signatures enabled, but I would suspect that the events you are seeing are being triggered by the use of the PORT command.

jodr
Level 1
Level 1
In response to dblairii

‎07-16-2004 03:36 AM

Yes, indeed, in some of the IP logs I have, I see a port command passing by. However when I calculate the port value, then I get a normal value between 1024 and 65535. So there is no real reason to trigger. But some other clue may be that an alert always triggers twice, once on improper port and once on improper address. An alert comes always in pairs of both signatures.

On our installation apparently both signatures are by default at 'Medium' alarm level.

0 Helpful

jodr
Level 1
Level 1
In response to dblairii

‎08-20-2004 05:29 AM

Is there anyone who can confirm me that both signatures (ftp improper address ; ftp improper port) are triggered only on the fact that a PORT command is used and not on the values used in this command ??

0 Helpful

dblairii
Level 1
Level 1
In response to jodr

‎08-20-2004 06:31 AM

During FTP, a 'port' command can be utilized to specify the client’s IP address/port from the FTP server to the client. You can actually specify any IP address/port using this command. This could allow someone to use the FTP server to perform a port scan on the client’s behalf. You will notice that the signature definition for 3153 and 3154 have the BadPortCmdAddress and BadPortCmdPort boolean values set to 'true' (respectively). I would infer from their description that they look for the port command utilized in conjunction with a different IP or port, than what is valid for that FTP session.

Hope that helps.

Don

Customers Also Viewed These Support Documents