GEN:SID 1:503
Message MISC Source Port 20 to <1024
Summary This event is generated when possible non-legitimate traffic is detected
that should not be allowed through a firewall.
Impact This can be used to pass through a poorly configured firewall.
Detailed Information Traffic from port 20 is normally FTP traffic.  Commands are passed to an
FTP server over port 21.  In order to download files, a client tells the
FTP server to connect to the client on port 'X' where 'X' is a port
above 1023.  The FTP server then connects to the client on the given
port using the source port of 20.  Ports below 1024 are privileged, a
legitimate connection from an ftp server should always be to a port
above 1023.  Some misconfigured firewalls may blindly allow connections
to any port from a source port of 20.
Affected Systems All
Attack Scenarios An attacker could use a source port of 20 for TCP connections to bypass
a poorly configured firewall.  
Ease of Attack Simple.
Corrective Action Connections from port 20 should only be allowed to ports >=1024.  A
better solution would be block this traffic entirely and force FTP
clients inside the firewall to use PASV mode.
Additional References Arachnids:
http://www.whitehats.com/info/IDS06
Rule References arachnids: 06