This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Larry_Birch
Contributor
‎2020-01-15 07:45 AM

Passive FTP Issue

Since moving to R80.20 we've had an issue with the "ftp" service.  As a stop gap we used "ftp-protocol-signature" and match for any which is now causing issues as a great number of ports are now sporadically identified as such (80, 53, 443, etc).  I am now trying to get back to the port based ftp service and having issues.  To troubleshoot I have an "ftp" rule followed by an "ftp-protocol-signature" rule.

The initial ftp connection on port 21 matches on the "ftp" service rule, however, upon negotiation of the data port it falls through to the second "ftp-protocol-signature" rule around line 8:

 

 

No.

Time

Source

Destination

Protocol

Length

Info

1

0

192.139.152.XXX

216.8.153.YYY

TCP

62

55479  >  21 [SYN] Seq=0 Win=32768 Len=0 MSS=1460 WS=1

2

0.034743

192.139.152.XXX

216.8.153.YYY

TCP

54

55479  >  21 [ACK] Seq=1 Ack=1 Win=32768 Len=0

3

0.050639

192.139.152.XXX

216.8.153.YYY

FTP

60

Request: SYST

4

0.066276

192.139.152.XXX

216.8.153.YYY

FTP

72

Request: USER *********

5

0.08137

192.139.152.XXX

216.8.153.YYY

FTP

69

Request: PASS **********

6

0.154162

192.139.152.XXX

216.8.153.YYY

TCP

54

55479  >  21 [ACK] Seq=40 Ack=235 Win=32768 Len=0

7

0.168541

192.139.152.XXX

216.8.153.YYY

FTP

60

Request: PASV

8

0.184125

192.139.152.XXX

216.8.153.YYY

TCP

62

55486  >  63690 [SYN] Seq=0 Win=32768 Len=0 MSS=1460 WS=1

9

0.198893

192.139.152.XXX

216.8.153.YYY

FTP

83

Request: STOR FILEXXXXX

10

0.214221

192.139.152.XXX

216.8.153.YYY

TCP

54

55486  >  63690 [ACK] Seq=1 Ack=1 Win=32768 Len=0

11

0.229467

192.139.152.XXX

216.8.153.YYY

TCP

1406

55486  >  63690 [ACK] Seq=1 Ack=1 Win=32768 Len=1352

12

0.229566

192.139.152.XXX

216.8.153.YYY

TCP

1406

55486  >  63690 [ACK] Seq=1353 Ack=1 Win=32768 Len=1352

13

0.22961

192.139.152.XXX

216.8.153.YYY

TCP

764

55486  >  63690 [PSH, ACK] Seq=2705 Ack=1 Win=32768 Len=710

14

0.229614

192.139.152.XXX

216.8.153.YYY

TCP

54

55486  >  63690 [FIN, ACK] Seq=3415 Ack=1 Win=32768 Len=0

15

0.245719

192.139.152.XXX

216.8.153.YYY

TCP

54

55486  >  63690 [ACK] Seq=3416 Ack=2 Win=32768 Len=0

16

0.245726

192.139.152.XXX

216.8.153.YYY

FTP

59

Request: PWD

17

0.260447

192.139.152.XXX

216.8.153.YYY

FTP

83

Request: RNFR FILEXXXXX

18

0.275011

192.139.152.XXX

216.8.153.YYY

FTP

86

Request: RNTO FILEYYYYY

19

0.30613

192.139.152.XXX

216.8.153.YYY

FTP

60

Request: QUIT

20

0.3216

192.139.152.XXX

216.8.153.YYY

TCP

54

55479  >  21 [FIN, ACK] Seq=147 Ack=449 Win=32768 Len=0

21

0.321714

192.139.152.XXX

216.8.153.YYY

TCP

54

55479  >  21 [ACK] Seq=148 Ack=450 Win=32768 Len=0

22

1.576145

192.139.152.XXX

216.8.153.YYY

TCP

66

21  >  63691 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1

23

1.590468

192.139.152.XXX

216.8.153.YYY

FTP

81

Response: 220 Microsoft FTP Service

24

1.605046

192.139.152.XXX

216.8.153.YYY

FTP

77

Response: 331 Password required

25

1.620133

192.139.152.XXX

216.8.153.YYY

FTP

1088

Response: 230-WARNING:

26

1.62016

192.139.152.XXX

216.8.153.YYY

FTP

75

Response: 230 User logged in.

27

1.634786

192.139.152.XXX

216.8.153.YYY

FTP

74

Response: 200 Type set to I.

28

1.648881

192.139.152.XXX

216.8.153.YYY

FTP

70

Response: 215 Windows_NT

29

1.663016

192.139.152.XXX

216.8.153.YYY

FTP

88

Response: 211-Extended features supported:

30

1.663093

192.139.152.XXX

216.8.153.YYY

FTP

72

Response:  LANG EN*

31

1.663115

192.139.152.XXX

216.8.153.YYY

FTP

107

Response:  AUTH TLS;TLS-C;SSL;TLS-P;

32

1.663132

192.139.152.XXX

216.8.153.YYY

FTP

61

Response:  HOST

33

1.663153

192.139.152.XXX

216.8.153.YYY

FTP

91

Response:  SIZE

34

1.677245

192.139.152.XXX

216.8.153.YYY

FTP

112

Response: 200 OPTS UTF8 command successful - UTF8 encoding now ON.

35

1.712574

192.139.152.XXX

216.8.153.YYY

FTP

83

Response: 250 CWD command successful.

36

1.729417

192.139.152.XXX

216.8.153.YYY

FTP

103

Response: 550 The system cannot find the file specified. 

37

1.74992

192.139.152.XXX

216.8.153.YYY

FTP

107

Response: 227 Entering Passive Mode (192,139,152,XXX,237,68).

38

1.764894

192.139.152.XXX

216.8.153.YYY

TCP

66

60740  >  24973 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1

39

1.788989

192.139.152.XXX

216.8.153.YYY

FTP

108

Response: 125 Data connection already open; Transfer starting.

40

1.803761

192.139.152.XXX

216.8.153.YYY

TCP

54

60740  >  24973 [ACK] Seq=1 Ack=2107 Win=131072 Len=0

41

1.807151

192.139.152.XXX

216.8.153.YYY

TCP

54

60740  >  24973 [ACK] Seq=1 Ack=2108 Win=131072 Len=0

42

1.8073

192.139.152.XXX

216.8.153.YYY

TCP

54

60740  >  24973 [FIN, ACK] Seq=1 Ack=2108 Win=131072 Len=0

43

1.807392

192.139.152.XXX

216.8.153.YYY

FTP

78

Response: 226 Transfer complete.

44

1.880154

192.139.152.XXX

216.8.153.YYY

FTP

68

Response: 221 Good-Bye

45

1.880182

192.139.152.XXX

216.8.153.YYY

TCP

54

21  >  63691 [FIN, ACK] Seq=1572 Ack=160 Win=130816 Len=0

46

1.895165

192.139.152.XXX

216.8.153.YYY

TCP

54

21  >  63691 [ACK] Seq=1573 Ack=161 Win=130816 Len=0

 

 

 

0 Kudos
1 Reply
This widget could not be displayed.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events