File: 1443.txt

package info (click to toggle)
snort 2.9.7.0-5
  • links: PTS, VCS
  • area: main
  • in suites: buster, sid, stretch
  • size: 55,000 kB
  • ctags: 38,464
  • sloc: ansic: 266,667; sh: 12,508; makefile: 2,908; yacc: 497; perl: 496; lex: 261; sed: 14
file content (72 lines) | stat: -rw-r--r-- 2,182 bytes parent folder | download | duplicates (6)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
Rule:

--
Sid:
1443

--
Summary:
This event is generated when a TFTP GET request is made for the "passwd"
file.  This could be an indication that a remote attacker has 
compromised a system on the network and is transfering sensitive files 
back to the attacking system.  It may also be an indication of a generic
TFTP server scan that includes tests for generic system files.

--
Impact:
The "passwd" file normally stores users names for Unix based systems.  
If this file is being transfered over the network using TFTP it is 
normally an indication of a system compromise.

In some situations this rule may only indicate a generic TFTP scan 
attempt, as the attacker may be scanning a large range of IP addresses 
for TFTP improperly configured TFTP servers.

--
Detailed Information:
This rule searches for the filename "passwd" in TFTP GET requests.  The 
"passwd" file is used by Unix based systems to store users names for the
system.

--
Attack Scenarios:
After a successful system compromise an attacker may setup a tftp 
service to transfer files back to the attacking system.  Under this 
scenario the source address will point to the attack network and the 
destination address will be an address defined in the HOME_NET.

Attackers may also scan large subnets for TFTP servers and make numerous
generic GET request for common system files. 

--
Ease of Attack:
Simple: Numerous tools and automated scripts exist for scanning large 
subnets for improperly configured TFTP servers.

--
False Positives:
This rule was created to catch TFTP GET requests for "passwd", if this 
file name is being used during a legitimate TFTP session this rule will 
generate a false positive.

--
False Negatives:
None known

--
Corrective Action:
Depending on the situation blocking the attacker at the upstream router 
or firewall will eliminate the problem.  However, if the TFTP server is 
incorrectly configured and is actually serving the "passwd" file, it 
should be configured to only serve specific files from a safe directory.

--
Contributors:
Original rule writer unknown
Sourcefire Research Team
Matthew Watchinski Matt.Watchinski@sourcefire.com

--
Additional References

--