FAQ about File Transfer Protocol & FIM

Introduction

This page includes frequently asked questions Threat Stack has received about File Integrity Monitoring (FIM) and the File Transfer Protocol (FTP).

How do I use FIM to monitor a FTP?

You can track a FTP services exfiltrating data away from your system using the Threat Stack FIM monitoring service.

Create a FIM rule to monitor a sensitive file or directory.  After you create a FIM rule, if a FTP service copies a file to a remote system an event triggers in Threat Stack and you receive an alert stating the file was opened by the service.

How do I whitelist a particular user in FTP?

To whitelist a particular user, you have to add a suppression to the rule they currently trigger.

NOTE: Threat Stack stores rules on the host and not the backend. This means rules can take a few minutes to update. Additionally, a rule suppression is not recursive.  

1. On the Alerts page, click the Suppression button.

Alerts page and Suppression icon

2. On the Add New Host Rule Suppression fly-in, enter the user to suppress.

Add New Host Suppression page

3. Click the Add New Suppression button.

Add New Suppression button

You added a suppression to a rule set. Going forward Skyler will not trigger an alert related to this rule.

For more information on Suppressions, see the How do I Suppress Alerts? article.

How do I monitor other folders for invalid users?

To monitor other folders for invalid users:

  1. Create a rule to monitor changes in all home directories.
  2. Create suppressions for each user for their own home directory.

See the How to Monitor other Folders for Invalid Users article for the full instruction set.

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.