Customer FTP traffic keeps triggering new IPS prot...

Parabol

Hi all,

We have an issue where a customers FTP traffic (using port range TCP/30200-30220) keeps triggering new IPS protections. So far we have been reactively adding exceptions for each occurrence, but obviously this is not really a sustainable solution. Some of the protections so far triggered are listed below. I notice all of them are Medium confidence, and I did open a TAC case a year or so ago for a similar issue, and they did advise that low/medium confidence protections are susceptible to false positives, and changing them to detect is essentially the best solution. But I worry this creates some security gaps as obviously real occurrences of the attacks can happen and could be missed.

Could you guys advise how you handle these types of protections, is changing low/medium protections to detect a best practice? The only other thing I can think is to try and grab all of the IP's from our customers systems, and build some wider exception with them, so that all medium protections detect instead of prevent (I am not sure this is possible?)

IPS protection:	# of incidents	Confidence Level	Severity	Performance Impact
Internet Explorer FTP Response Parsing Memory Corruption	3	Medium	High	High
Malicious Payload Encoding Remote Code Execution	2	Medium	High	High
Tripwire Format String (CVE-2004-0536)	1	Medium	Low	Medium
VMware Multiple Products NAT Service Buffer Overflow	1	Medium	High	Medium
Multiple SSH Initial Connection Requests	1	Medium	High	Low

Thanks, I appreciate any feedback!

PhoneBoy

Nice to see some people are still using FTP 🙂

You can actually create a new Threat Prevention profile where Medium Confidence protections are set to Detect:

Whether you should or not is a separate question.

the_rock

My suggestion...do NOT use ftp 🙂

Andy

Are you a member of CheckMates?

Customer FTP traffic keeps triggering new IPS protections