Rule Document 1:1443

Rule Category

PROTOCOL-TFTP -- Snort has detected traffic that may indicate the presence of the tftp protocol or vulnerabilities in the tftp protocol on the network.

Alert Message

PROTOCOL-TFTP GET passwd

Rule Explanation

This event is generated when a TFTP GET request is made for the "passwd" file. This could be an indication that a remote attacker has compromised a system on the network and is transferring sensitive files back to the attacking system. It may also be an indication of a generic TFTP server scan that includes tests for generic system files. Impact: The "passwd" file normally stores users names for Unix based systems. If this file is being transferred over the network using TFTP it is normally an indication of a system compromise. In some situations this rule may only indicate a generic TFTP scan attempt, as the attacker may be scanning a large range of IP addresses for TFTP improperly configured TFTP servers. Details: This rule searches for the filename "passwd" in TFTP GET requests. The "passwd" file is used by Unix based systems to store users names for the system. Ease of Attack: Simple: Numerous tools and automated scripts exist for scanning large subnets for improperly configured TFTP servers.

What To Look For

This event is generated when a TFTP GET request is made for the "passwd" file. This could be an indication that a remote attacker has compromised a system on the network and is transferring sensitive files back to the attacking system. It may also be an indication of a generic TFTP server scan that includes tests for generic system files.

Known Usage

No public information

False Positives

Known false positives, with the described conditions

This rule was created to catch TFTP GET requests for "passwd", if this file name is being used during a legitimate TFTP session this rule will generate a false positive.

Contributors

Original rule writer unknown Cisco Talos Matthew Watchinski