FTP Transfer BIOC

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

FTP Transfer BIOC

L1 Bithead

Hello Palo Alto LiveCommunity,

 

I’m currently working on a task where I need to create a custom BIOC (Behavioral Indicator of Compromise) and add it to a restriction profile to block FTP command lines. Specifically, I want to prevent FTP-related commands from being executed by monitoring and restricting certain patterns.

 

I also need help with incorporating the following regex expression into the scope of action for a remote IP

it would be very appreciated if you have more details of how the BIOC must be created to block a process when it's associated with a restriction profile

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

@J.Gammara,

You might have better luck posting this in the Cortex XDR specific discussion forum. There's a couple folks who at least monitor that on a somewhat regular basis that pick up your discussion and be able to help a bit more. You would need to really test your regex to ensure that this doesn't capture too much; it's a bit of a risky exercise honestly.

 

You'll need to attempt to account for various FTP methods if I understand your end goal appropriately. As an example, you can utilize wget ftp://myftpsite.com, you can utilize FTP directly, CURL, and about a million other utilities. Your most common "catch" would just be building an indicator for ftp://anything and attempt to build something for ftp itself that isn't going to be overly broad and capture more than you want.

I'd also just toss out that building a firewall rule to limit FTP and alert on any denied FTP sessions would likely actually be an easier path forward and still allow you to alert on unexpected/denied FTP traffic.

View solution in original post

1 REPLY 1

Cyber Elite
Cyber Elite

@J.Gammara,

You might have better luck posting this in the Cortex XDR specific discussion forum. There's a couple folks who at least monitor that on a somewhat regular basis that pick up your discussion and be able to help a bit more. You would need to really test your regex to ensure that this doesn't capture too much; it's a bit of a risky exercise honestly.

 

You'll need to attempt to account for various FTP methods if I understand your end goal appropriately. As an example, you can utilize wget ftp://myftpsite.com, you can utilize FTP directly, CURL, and about a million other utilities. Your most common "catch" would just be building an indicator for ftp://anything and attempt to build something for ftp itself that isn't going to be overly broad and capture more than you want.

I'd also just toss out that building a firewall rule to limit FTP and alert on any denied FTP sessions would likely actually be an easier path forward and still allow you to alert on unexpected/denied FTP traffic.

  • 1 accepted solution
  • 269 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!