File: 1927.txt

package info (click to toggle)
snort 2.7.0-20.4
  • links: PTS
  • area: main
  • in suites: lenny
  • size: 34,512 kB
  • ctags: 18,772
  • sloc: ansic: 115,404; sh: 10,893; makefile: 1,372; perl: 487; sql: 213
file content (74 lines) | stat: -rw-r--r-- 1,847 bytes parent folder | download | duplicates (6)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
Rule:

--
Sid: 
1927

--
Summary:
This event is generated when activity relating to spurious ftp traffic 
is detected on the network.

--
Impact:
Varies from information gathering to a serious compromise of an ftp 
server.

--
Detailed Information:
FTP is used to transfer files between hosts. This event is indicative of
spurious activity in FTP traffic between hosts.

The event may be the result of a transfer of a known protected file or 
it could be an attempt to compromise the FTP server by overflowing a 
buffer in the FTP daemon or service.

In this case, the rule will generate an event due to the attempted
transfer of an authorized_keys file. This file is used in ssh
communications to authenticate a user without the need for a password.
Retrieval of this file may allow an attacker to gain valuable
information about the hosts allowed to gain access to the machine via
ssh, included the hostname, IP address and the username belonging to the
authorized user. The attacker may have access to the users .ssh directory in 
which case the public and private keys for that user may also be at risk.

--
Attack Scenarios:
A user may transfer sensitive company information to an external party 
using FTP.

An attacker might utilize a vulnerability in an FTP daemon to gain 
access to a host, then upload a Trojan Horse program to gain control of 
that host.

--
Ease of Attack:
Simple.

--
False Positives:
None Known

--
False Negatives:
None Known

--
Corrective Action:
Disallow access to FTP resources from hosts external to the protected 
network.

Use secure shell (ssh) to transfer files as a replacement for FTP.

--
Contributors:
Sourcefire Research Team
Brian Caswell <brian.caswell@sourcefire.com>
Nigel Houghton <nigel.houghton@sourcefire.com>

--
Additional References:

The manual page for ssh on the system in question.

--