Snort mailing list archives
Re: TFTP Get
From: Matt Kettler <mkettler () evi-inc com>
Date: Tue, 18 Mar 2003 19:45:52 -0500
If you read the classification it's "potentially bad traffic", which should be clear that the traffic is possibly bad, but not definitely an attack.. so do not characterize this as an attack, because snort certainly did not call it that.
TFTP is a very simple, very much not secured file transfer protocol. It's commonly used for loading configurations into simple devices like routers, and also for boot-from-network type situations. Being highly insecure, it's generally only used between two systems which are on the same trusted network.
This looks like a boot-from-net type situation, where 192.xxx.xxx.xxx booted up and was trying to find a TFTP server to download a boot image from. So it sent a TFTP get request to the broadcast address.
In general if you see TFTP coming in from the internet trying to enter your lan, it's likely to be malicious, but if you see machines inside your lan talking in this manner, you should investigate why, but not be too overly concerned about it. It's most likely some "appliance" type device that's misconfigured and is trying a network boot. You'll probably want to disable that for better security, but it's not an attack or a direct immediate threat.
At 03:53 PM 3/18/2003 -0800, you wrote:
When does this "TFTP get" attack happen?? The SID-1444 rule got triggered. What does this attack mean?? Are there any false positives associated with this?? Could this be just a false positive?01/29-00:07:42.588539 [**] [1:1444:2] <file:///C:/Users/Clayton/Research/Attks_in_Snortsnarf/108.X_network/012903/snfout.alert0000-0015.ids/sig/sigsid-1444.html>TFTP Get [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} <file:///C:/Users/Clayton/Research/Attks_in_Snortsnarf/108.X_network/012903/snfout.alert0000-0015.ids/192/168/0/src192.168.0.237.html>192.xxx.xxx.xxx:<http://www.portsdb.org/bin/portsdb.cgi?portnumber=5454&protocol=UDP>5454 -> <file:///C:/Users/Clayton/Research/Attks_in_Snortsnarf/108.X_network/012903/snfout.alert0000-0015.ids/255/255/255/dest255.255.255.255.html>255.255.255.255:<http://www.portsdb.org/bin/portsdb.cgi?portnumber=69&protocol=UDP>69Thanks. Clayton Do you Yahoo!?<http://rd.yahoo.com/platinum/evt=8162/*http://platinum.yahoo.com/splash.html>Yahoo! Platinum - Watch CBS' NCAA March Madness, <http://rd.yahoo.com/platinum/evt=8162/*http://platinum.yahoo.com/splash.html>live on your desktop!
-------------------------------------------------------This SF.net email is sponsored by: Does your code think in ink? You could win a Tablet PC. Get a free Tablet PC hat just for playing. What are you waiting for?
http://ads.sourceforge.net/cgi-bin/redirect.pl?micr5043en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- TFTP Get Clayton Mascarenhas (Mar 18)
- Re: TFTP Get Frank Knobbe (Mar 18)
- Re: TFTP Get Matt Kettler (Mar 18)
- Re: TFTP Get twig les (Mar 18)
- Re: TFTP Get Matt Kettler (Mar 18)
- Re: TFTP Get twig les (Mar 18)
- Re: TFTP Get Jason Haar (Mar 18)
- Re: TFTP Get Rich Adamson (Mar 19)
- Re: TFTP Get twig les (Mar 18)
- <Possible follow-ups>
- Re: TFTP Get Clayton Mascarenhas (Mar 18)