Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Detecting non-standard ftp usage (!= tcp 21) using IDSM2 5.0 & CN-MARS v3.4

Hello,

We recently installed our IDSMs and a MARS box to monitor our core traffic. I'm trying to set up a MARS "User Inspection Rule" to notify me when there is FTP traffic on a port other than port 21. Is there an easy way to do this?

I don't see any IPS sigs that will trigger on normal FTP events(e.g. open data connection success, STOR and RETR request, etc.) I'm sure someone out there has already set up something like this before? Any help is appreciated.

Ryan

2 REPLIES
New Member

Re: Detecting non-standard ftp usage (!= tcp 21) using IDSM2 5.0

There are IPS sigs that trigger on normal FTP events such as STOR and RETR. Check out 3156 and 3155. You can configure these (and any other ftp sig) to fire on a different port besides or instead of 21.

Gold

Re: Detecting non-standard ftp usage (!= tcp 21) using IDSM2 5.0

Take a look at sig 3171 to get a feel for how a custom signature might look, then create your own. To be honest, I've not done a lot of custom sigs...but looking on every port for ftp-like behavior seems like it might put quite a burden on your sensor.

121
Views
0
Helpful
2
Replies
CreatePlease to create content