This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Parabol
Contributor
‎2023-08-22 06:55 AM

Passive FTP traffic (TCP/30200 - 30220) causing multiple IPS false positives

Hi all,

We have an unusual problem at the moment where we've had multiple different IPS false positive incidents in the past 1-month. Each time we have reactively added an IPS exception for the systems involved, but the frequency of the occurrences is very concerning. 

In all instances, the traffic involved is TCP/30200-30220. The systems involved are using vsftpd (a Unix/Linux FTP server application) to transfer data, and the passive ports are defined as such:

  • pasv_min_port: 30200
  • pasv_max_port: 30220

The main protection triggering has been - Malicious Payload Encoding Remote Code Execution

But it has also triggered:

  • Ipswitch WS_FTP Server commands buffer overflow denial of service
  • Internet Explorer FTP Response Parsing Memory Corruption (MS07-016)

Obviously we could change the protection behavior to detect or inactive, but this isn't ideal for us from a security view.

Has anybody else observed anything similar? Our solution at the moment is reactively added exceptions, but this isn't sustainable if it keeps continuing with new systems, and new protections. 

Although one thing I've noticed is that all the triggered protections have a "Medium confidence", and so is this just an expected byproduct of enabling such protections?

Thanks!

 

0 Kudos
3 Replies
the_rock
Legend
Legend
‎2023-08-22 07:14 AM

Cant say I ever experienced this in R80+, but, just wondering, how is your IPS profile configured? Is it set to optimized (default) policy? Personally, in the meantime, maybe try doing below?

Andy

 

 

Screenshot_1.png

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2023-08-22 12:13 PM

Unless you can determine the precise reason for the falses you are kind of stuck, and doing so will require a TAC case.

My guess is that these Medium Confidence protections have a fairly short set of bytes they are pattern matching for and that sequence of bytes happens to be showing up in your data streams occasionally.   Not perfect from a security perspective, but you could add an IPS blade-based exception only matching your passive ports like this, I was hoping to find a way to confine this exception only to FTP protocol traffic but that doesn't appear possible (you can try setting protocol FTP on the range object but I'm pretty sure that won't work).  If you can tighten up the exception's source and/or destination to only internal networks or only those that use vsftpd that would be helpful:

ips_exception.png

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Parabol
Contributor
‎2023-08-25 02:03 AM
In response to Timothy_Hall

Thanks Timothy, I think this will be what we do. Another incident happened yesterday, this time a new protection "VMware Multiple Products NAT Service Buffer Overflow".

I've requested a list of systems from the customer that are using this vsftpd on this port range, so that we can tighten it up like you say. I was hoping to only apply it to 3 or 4 protections, for a while it seemed to be only triggering these, but as we see yesterday new ones are popping up still.

We have got a TAC case open too and have provided some pcaps, so we will see if that helps also.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events