Rule:  

--
Sid:
503

--
Summary:
This event is generated when possible non-legitimate traffic is detected
that should not be allowed through a firewall.

--
Impact:
This can be used to pass through a poorly configured firewall.

--
Detailed Information:
Traffic from port 20 is normally FTP traffic.  Commands are passed to an FTP server over port 21.  In order to download files, a client tells the FTP server to connect to the client on port 'X' where 'X' is a port above 1023.  The FTP server then connects to the client on the given port using the source port of 20.  Ports below 1024 are privileged, a legitimate connection from an ftp server should always be to a port above 1023.  Some misconfigured firewalls may blindly allow connections to any port from a source port of 20.

--
Affected Systems:
All

--
Attack Scenarios:
An attacker could use a source port of 20 for TCP connections to bypass a poorly configured firewall.

--
Ease of Attack:
Simple.

--
False Positives:
None known.

--
False Negatives:
None known.

--
Corrective Action:
Connections from port 20 should only be allowed to ports >=1024. A better solution would be block this traffic entirely and force FTP clients inside the firewall to use PASV mode.

--
Contributors:
Original Rule Writer Unknown
Sourcefire Vulnerability Research Team
Nigel Houghton <nigel.houghton@sourcefire.com>
Snort documentation contributed by Steven Alexander<alexander.s@mccd.edu>

-- 
Additional References:

--
