Hello, and welcome,
your request sounds like very unusual one: you want to allow File Transfer Protocol but you want to prohibit file transfer with it. That is quite easy: disallow File transfer protocol in the first place.
If you are still trying to do what you asked above, this will be hard, because nobody planned to do that (allow FTP but block file transfers with it) so such context aren't necessarily included/exposed in the custom signature engine.
There is a few hacks you could try to do, to achieve the same, nevertheless. Hacks are weird because use case is weird, I guess, but: - to block such requests as PUT or GET, you need custom signatures. Custom signatures for FTP context work by either looking at the context (byte pattern) or checking the length of the request (byte size). - it is very hard to use custom pattern as those require at least 7 consecutive hard-coded bytes to catch on; what you COULD do is: 1. prepend all your files in said FTP server with fixed 3-character patterns, let's say you prepend them with three consecutive underscores, so "file.exe" becomes "___file.exe", 2. create blocking signatures for "GET ___" and "PUT ___" which will give you 7 consecutive characters (3 for text, 1 for space, 3 for underscores prepending all file names) 2a. alternatively, you could see if commands that you wish to allow contain 7 bytes or more; than you could create custom signatures for what you ALLOW instead of renaming all files in order to block. however, most of the FTP commands are 3-4 characters so it will still be hard to find 7 matching consecutive characters. maybe your use case allows for this approach.
- as you can tell, that's an ugly hack as it requires control over the files that are sitting in the server. sounds impractical. another approach would be byte size. this is tricky, because it could work possibly only by: 1. taking a pcap of the FTP session where you would execute some allowed commands; 2. allowing only a specific byte-length of the requests (that you observed above when you executed allowed requests). this approach might work and would probably block most of the put/get requests, unless request weirdly matches exact length size allowed earlier
Another and proper approach, from the point of view of system administration, would be to simply disallow particular users/user group those commands on the FTP server itself, and leave firewall out of it. that would be recommended and proper approach in the real world.
Hope that this conversation humored you and that you'll still go with blocking whole FTP or blocking those users on FTP server itself, rather than trying to achieve very opposing goals at the same time (allow FTP but block file transfers).
... View more