2 Replies Latest reply on Aug 18, 2014 10:49 AM by nicole pauls

    LEM - find FTP traffic


      I want to create an alert for FTP traffic on the network.   I am in Explore-nDepth.   What event would you see that under?



        • Re: LEM - find FTP traffic

          Under Event Groups, look at Network Audit Alerts. There's source/destination port fields.  I'd expect the search to return specific event classes (like TCPTrafficAudit or IPTrafficAudit), and then you could build a rule to look for those events with the right characteristics for alerts.

          1 of 1 people found this helpful
          • Re: LEM - find FTP traffic
            nicole pauls

            Most firewalls: TCPTrafficAudit.DestinationPort = 21 (you might want to look for 20, but 21 is telltale)

            Proxy servers and application-layer aware firewalls where we know this traffic is FTP: FileTransferTrafficAudit


            There's actually a filter included out of the box (IT Operations => FTP Traffic) that you can do a historical search on by clicking Gear > send to nDepth (you might have to expand the time range). It tries to look for all Network Audit Alerts (which would include both of the above) where either the word FTP is included or it's to/from one of those ports, so it should catch most everything.