# outbound\_ftp\_traffic

**Explanation**

This event monitors outbound traffic for cleartext FTP connections. The use of non-encrypted protocols such as FTP can leave sensitive information vulnerable to interception and theft.

**What to Look For**

To remediate potential issues with outbound FTP traffic, examine network traffic for unencrypted connections on TCP ports 20 & 21. Check FTP logs for suspicious activity, such as transfers to unauthorized destinations or user credentials being transmitted in cleartext. Configure endpoints and servers to use secure FTP protocols such as SFTP or FTPS to ensure encrypted transfers, and consider blocking TCP ports 20 & 21.

**Related MITRE ATT\&CK Categories**

[Exfiltration: Exfiltration Over Alternative Protocol, Technique T1048 - Enterprise](https://attack.mitre.org/techniques/T1048)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.fusion.vectra.ai/detection-models/library/misconfiguration/outbound_ftp_traffic.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.