Filecatalyst Detection

You must look at protocol behavior, not port numbers.

For high-level visibility without inspecting payloads, NetFlow/IPFIX analysis is highly effective. filecatalyst detection

FI-2025-010 - Unrestricted File Upload in FileCatalyst - Fortra You must look at protocol behavior, not port numbers

A backup server initiates an outbound TCP connection to a partner IP on port 8080. The connection stays alive for 14 hours but only transfers data in three short bursts. That’s the FileCatalyst “hot folder” pattern — idle control channel, then scheduled bursts. The connection stays alive for 14 hours but

This rule looks for the string "FileCatalyst" in the TCP stream heading to a destination port 21. While FileCatalyst may not broadcast its name in clear text in all modes, looking for specific SITE commands used by the software (often used for file verification) can trigger an alert.

FileCatalyst’s proprietary UDP protocol doesn’t behave like video streaming or VoIP. Look for:

FileCatalyst isn’t your average file transfer protocol. Built for high-speed, long-distance, and high-latency links, it’s a favorite in media, defense, and energy sectors. But that same efficiency makes it a blind spot for many security and network teams.