Knowledge Search


Preventing FTP Download of .exe files using Deep Inspection (DI)

  [KB7808] Show Article Properties

Using Deep Inspection (DI), prevent users from downloading any .exe files using the FTP GET command.
Trying to use the FTP GET attack context when defining a custom Deep Inspection signature.  However, no matter what is tried, DI does not prevent .exe files from being downloaded.

To configure a custom signature to prevent FTP GET of .exe file, use the attack context "256 Byte Stream".  This will examine only the first 256 bytes of a stream, and match the attack signature that's only in the first 256 bytes of a packet.  Use the following definition:

set attack "CS:ftpexe" stream256 ".*\.exe.*" severity medium
set attack group "CS:Path" add "CS:FTP-Path"

The attack signature ".*\.exe.*" will basically match anything up to .exe and match anything after it.

The FTP Command context only applies to the following:

  • USER
  • PASS
  • ACCT
  • CWD
  • CDUP
  • SMNT
  • REIN
  • QUIT



Reference Section 4.1.1 of RFC 959

Related Links: