Symantec™ Security Gateways Reference Guide - Sawmill

IDS eventsSuspicious activity375FTP Malformed DataBase Event:Details:Response:Affected:FTPCLI_EXPECTED_RNTOA RNFR command was sent, but was followed by something other than a RNTO command.If seen in sufficient volume or variation, and other suspicious factors exist, audit of client andserver is recommended. Examination of the packet contents may provide some additionalinformation about the particular command.No specific targets.False Positives: None known.ReferencesFTP SpecificationsFTP Malformed DataBase Event:Details:Response:Affected:FTPCLI_SENT_CEL_COMMANDA “CEL” command was sent from an FTP client. This command is usually not implemented.If seen in sufficient volume or variation, and other suspicious factors exist, audit of client andserver is recommended.No specific targets.False Positives: None known.ReferencesFTP SpecificationsFTP Malformed DataBase Event:Details:Response:Affected:FTPSER_AUDIOGALAXY_EXTRA_AFTER_IPAudio galaxy is another protocol that operates on the FTP port. Audio galaxy is only supposed tosend an IP address and disconnect. This event is generated when extra data is sent after the IPaddress.If seen in sufficient volume or variation, and other suspicious factors exist, audit of client andserver is recommended. Examination of the packet contents may provide some additionalinformation about the particular command. If you do not intend to allow tunneling through FTP inyour network you may also want to add some network filters.No specific targets.False Positives: It is possible this is some unexpected change to or variation in Audio galaxy.ReferencesAudio GalaxyFTP SpecificationsFTP Malformed DataBase Event:Details:Response:FTPSER_EXPECTED_LFAn FTP command was sent without the proper line termination.If seen in sufficient volume or variation, and other suspicious factors exist, audit of client andserver is recommended. Examination of the packet contents may provide some additionalinformation about the particular command.