FTPS/SFTP does not support by SG and some FTP client transaction for secure FTP protocol detected by IDS as security alert.
search cancel

FTPS/SFTP does not support by SG and some FTP client transaction for secure FTP protocol detected by IDS as security alert.

book

Article ID: 165776

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

The FEAT command is not fully implemented (supported) in current SGOS code since FTPS/SFTP proxy is not supported by BlueCoatSG.

Some IDS may detect these transaction (Frame#123 - 126 from below sample packet trace) as security alert.

 

Resolution

Some FTP client will send the FEAT command for inquiring the availability of secure FTP connection on FTP server.

 

Please refer to "Securing FTP with TLS (RFC4217) - 6. Response to the FEAT Command" for the detail.

 (http://tools.ietf.org/html/rfc4217#section-6)

The FEAT command (introduced in [RFC-2389]) allows servers with additional features to advertise these to a client by responding to the FEAT command.

 

Following sample packet capture showing, client send FEAT command to SG, (Frame#123) before FTP credential exchange (Frame#132,138) with the FTP server.

In this case, SG will return "530 User access denied" for the command. After "230 Login successful", SG will transfer "FEAT" command to FTP server and retuned "211 No features" to the client.

 

========================================================

 Sample packet capture

========================================================

No.  Time    Source           Destination      S.Port D.Port Protocol Info

 122  111.80  [BlueCoatSG IP]  [  Client IP  ]  21     11786  FTPResponse: 220 Blue Coat FTP Service

 123  111.88  [  Client IP  ]  [BlueCoatSG IP]  11786  21     FTPRequest: FEAT

 124  111.88  [BlueCoatSG IP]  [  Client IP  ]  21     11786  FTPResponse: 530 User access denied.

 125  111.97  [  Client IP  ]  [BlueCoatSG IP]  11786  21     FTPRequest: AUTH TLS

 126  111.97  [BlueCoatSG IP]  [  Client IP  ]  21     11786  FTPResponse: 500 Syntax error, command unrecognized.

 127  112.05  [  Client IP  ]  [BlueCoatSG IP]  11786  21     FTPRequest: USER guest

 131  112.05  [FTP Server IP]  [BlueCoatSG IP]  21     51096  FTPResponse: 220 Welcome to FTP server

 132  112.05  [BlueCoatSG IP]  [FTP Server IP]  51096  21     FTPRequest: USER guest

 137  112.14  [  Client IP  ]  [BlueCoatSG IP]  11786  21     FTPRequest: PASS xxxx

 138  112.14  [BlueCoatSG IP]  [FTP Server IP]  51096  21     FTPRequest: PASS xxxx

 140  112.15  [FTP Server IP]  [BlueCoatSG IP]  21     51096  FTPResponse: 230 Login successful.

 141  112.15  [BlueCoatSG IP]  [  Client IP  ]  21     11786  FTPResponse: 230 Login successful.

 143  112.24  [  Client IP  ]  [BlueCoatSG IP]  11786  21     FTPRequest: FEAT

 144  112.24  [BlueCoatSG IP]  [FTP Server IP]  51096  21     FTPRequest: FEAT

 146  112.24  [FTP Server IP]  [BlueCoatSG IP]  21     51096  FTPResponse: 550 Permission denied.

 147  112.24  [BlueCoatSG IP]  [  Client IP  ]  21     11786  FTPResponse: 211 No features

 

We recommend to ignore IDS security alert.

 

Powered by Wolken Software