I have been receiving quite a few alarm triggers for the signature FTP Improper Address Specified ID: 3153. All of the alarms have triggered when the attackers port is greater that 1024 and less than 65355. The victims port is always port 21. Has anyone on the list seen false positives for this alarm and if so can the false positives be attributed to a single application?
I have seen the thread answer posted by MATTHEW CERHA of Cisco Systems Inc for a simular occurance.
Matthew mentioned the WSFTP client application as being the possible offender. You could also check if any of your known users are trying to FTP in. If yes, you could narrow down your search to those applications.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...