Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

FTP Improper Port alarm in IEV??

Has anyone ever seen this "FTP Improper Port" alarm?

It appeared when one of my users used the WSFTP application.

Any ideas on how to troubleshoot this? Should I even be worried about it?

Any thoughts would be much appreciated.

Thank you!

2 REPLIES
Bronze

Re: FTP Improper Port alarm in IEV??

This is a pretty specific alarm. It fires when a client issues an FTP PORT command specifying a TCP port number < 1024 or > 65355. This is related to FTP Bounce types of attacks. It is possible that the WSFTP client application is using a port < 1024 for the incoming DATA connection from the FTP server causing a false positive alarm. This is not the general practice, as ports < 1024 are traditionally considered privileged. A traffic trace of the FTP session should clear it up. If you know that the FTP session is normal traffic, I'd recommend creating a filter for the client causing the alarms.

New Member

Re: FTP Improper Port alarm in IEV??

Thanks for the response!

I captured syslog messages from my PIX 515 and came up with these entries for this FTP session..

Built outbound TCP connection 1243246 for outside:206.222.217.2/21 (206.222.217.2/21) to inside:xx.xx.xxx.xxx/3275

Built outbound TCP connection 1243256 for outside:206.222.217.2/53782 (206.222.217.2/53782) to inside:xx.xx.xxx.xxx/3276

Teardown TCP connection 1243256 for outside:206.222.217.2/53782 to inside:xx.xx.xxx.xxx/3276

Would this be it?? I would assume that this has to do with the xlate table on the PIX??

Let me know what you think.

Thanks!

115
Views
0
Helpful
2
Replies
CreatePlease to create content