Enterasys Intrusion Prevention System Manual page 211

Network sensor policies and signatures guide

Hide thumbs Also See for Intrusion Prevention System:

Reporting manual (122 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

page of 260

/ 260
Contents
Table of Contents
Bookmarks

Table of Contents

Table A-1 6.x to 7.0 Keyword Mapping (continued)

6.x Keyword

FTP

FTPCONVERT

FTPCONVERT_VERB

OSE

7.0 XML Attribute

NSC/SC/C/FTPAnalysis/port-request-check

NSC/SC/C/FTPAnalysis

NSC/SC/C/FTPAnalysis/verbose

Description

FTP is a switch that tells Network Sensor to

decode TCP port 21 packets and streams that

specify a port command for file transfer. The

decode extracts the command string which is of

the form port x,x,x,x,p,p where x,x,x,x is the

destination IP address and p,p is the destination

port.

If the destination IP address is not equal to the

source address of this packet, the packet is

logged as a security event. This attack may

indicate FTP port scanning, FTP mail bombing,

FTP hijacking and a variety of other suspicious

events. However, this attack could also result

from a non-passive FTP file transfer attempt from

a network address translated client. These

events are labeled with the [FTP-BOUNCE]

name.

When this command is enabled, Network Sensor

will also look for general port requests (the p,p

from the x,x,x,x,p,p), which specify addresses

lower than port 1024. Such a port may indicate

attempts at email spoofing, remote login

attempts and other types of attacks. These

events are labeled with the

FTP-BOUNCE:LOWPORT event.

The FTP protocol works by establishing a control

connection and a data connection when data

needs to be sent. The control connection can

use Telnet commands that begin with the IAC

byte (0xff). FTPAnalysis watches the control

connection for these types of commands and

interprets them for signature matching.

Many times when an IAC command is sent in an

FTP control connection, it is used as an attempt

to evade IDS. If

"NSC/SC/C/FTPAnalysis/

verbose" on page A-17 is set, an event will be

received for these types of evasions.

Performs the same protocol conversions as

"NSC/SC/C/FTPAnalysis" on page A-17, except

that it logs events when possible IDS evasion

techniques are used. The current event that is

logged when evasion is detected is: FTP:IAC-

EVADE

Technical Note

For details on this evasion, refer to the

"NSC/SC/C/FTPAnalysis" on page A-17

description.

Creating Network Sensor Policies and Signatures A-17

6.x to 7.x Mappings

Table of Contents

Need help?

Do you have a question about the Intrusion Prevention System and is the answer not in the manual?

Enterasys Intrusion Prevention System Manual page 211

Need help?

Subscribe to Our Youtube Channel

Related Manuals for Enterasys Intrusion Prevention System

Related Products for Enterasys Intrusion Prevention System

Table of Contents