Snort mailing list archives
Re: TFTP Get
From: Frank Knobbe <fknobbe () knobbeits com>
Date: 18 Mar 2003 18:32:02 -0600
On Tue, 2003-03-18 at 17:53, Clayton Mascarenhas wrote:
When does this "TFTP get" attack happen?? The SID-1444 rule got
triggered. What does this attack mean?? Are there any false positives
associated with this?? Could this be just a false positive?
01/29-00:07:42.588539 [**] [1:1444:2] TFTP Get [**] [Classification:
Potentially Bad Traffic] [Priority: 2] {UDP} 192.xxx.xxx.xxx:5454 ->
255.255.255.255:69
Clayton (but it applies to other posters as well) I recommend to log packet details because by looking at the packet data you will be able to determine if this alert is a false positive and a true positive. Just from the alert line alone you can not make that distinction. Regards, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- TFTP Get Clayton Mascarenhas (Mar 18)
- Re: TFTP Get Frank Knobbe (Mar 18)
- Re: TFTP Get Matt Kettler (Mar 18)
- Re: TFTP Get twig les (Mar 18)
- Re: TFTP Get Matt Kettler (Mar 18)
- Re: TFTP Get twig les (Mar 18)
- Re: TFTP Get Jason Haar (Mar 18)
- Re: TFTP Get Rich Adamson (Mar 19)
- Re: TFTP Get twig les (Mar 18)
- <Possible follow-ups>
- Re: TFTP Get Clayton Mascarenhas (Mar 18)