Snort mailing list archives

Re: TFTP Get

From: twig les <twigles () yahoo com>
Date: Tue, 18 Mar 2003 17:25:27 -0800 (PST)

To add a snippet of info, tftp is nasty traffic because it
doesn't require a username or password.  If you know the
destination host, name of file and where it is on the machine
then you can just ask for it.  Since most tftp servers operate
under "tftpboot" you usually don't have to guess where files
are.  Personally I find it shocking that Cisco still uses tftp
since we SSH to our routers ... and then tftp the entire config?
 Lame.



--- Matt Kettler <mkettler () evi-inc com> wrote:

If you read the classification it's "potentially bad traffic",
which should 
be clear that the traffic is possibly bad, but not definitely
an attack.. 
so do not characterize this as an attack, because snort
certainly did not 
call it that.

TFTP is a very simple, very much not secured file transfer
protocol. It's 
commonly used for loading configurations into simple devices
like routers, 
and also for boot-from-network type situations. Being highly
insecure, it's 
generally only used between two systems which are on the same
trusted network.

This looks like a boot-from-net type situation, where
192.xxx.xxx.xxx 
booted up and was trying to find a TFTP server to download a
boot image 
from. So it sent a TFTP get request to the broadcast address.

In general if you see TFTP coming in from the internet trying
to enter your 
lan, it's likely to be malicious, but if you see machines
inside your lan 
talking in this manner, you should investigate why, but not be
too overly 
concerned about it. It's most likely some "appliance" type
device that's 
misconfigured and is trying a network boot. You'll probably
want to disable 
that for better security, but it's not an attack or a direct
immediate threat.


At 03:53 PM 3/18/2003 -0800, you wrote:

When does this "TFTP get" attack happen?? The SID-1444 rule

got triggered.

What does this attack mean?? Are there any false positives

associated with

this?? Could this be just a false positive?

01/29-00:07:42.588539 [**] [1:1444:2]


<file:///C:/Users/Clayton/Research/Attks_in_Snortsnarf/108.X_network/012903/snfout.alert0000-0015.ids/sig/sigsid-1444.html>TFTP

Get [**] [Classification: Potentially Bad Traffic] [Priority:

2] {UDP} 

<file:///C:/Users/Clayton/Research/Attks_in_Snortsnarf/108.X_network/012903/snfout.alert0000-0015.ids/192/168/0/src192.168.0.237.html>192.xxx.xxx.xxx:<http://www.portsdb.org/bin/portsdb.cgi?portnumber=5454&protocol=UDP>5454

->


<file:///C:/Users/Clayton/Research/Attks_in_Snortsnarf/108.X_network/012903/snfout.alert0000-0015.ids/255/255/255/dest255.255.255.255.html>255.255.255.255:<http://www.portsdb.org/bin/portsdb.cgi?portnumber=69&protocol=UDP>69


Thanks.

Clayton





Do you Yahoo!?


<http://rd.yahoo.com/platinum/evt=8162/*http://platinum.yahoo.com/splash.html>Yahoo!

Platinum - Watch CBS' NCAA March Madness,


<http://rd.yahoo.com/platinum/evt=8162/*http://platinum.yahoo.com/splash.html>live

on your desktop!




-------------------------------------------------------
This SF.net email is sponsored by: Does your code think in
ink? 
You could win a Tablet PC. Get a free Tablet PC hat just for
playing. 
What are you waiting for?
http://ads.sourceforge.net/cgi-bin/redirect.pl?micr5043en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



=====
-----------------------------------------------------------
Know yourself and know your enemy and you will never fear defeat.         
-----------------------------------------------------------

__________________________________________________
Do you Yahoo!?
Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop!
http://platinum.yahoo.com


-------------------------------------------------------
This SF.net email is sponsored by: Does your code think in ink? 
You could win a Tablet PC. Get a free Tablet PC hat just for playing. 
What are you waiting for?
http://ads.sourceforge.net/cgi-bin/redirect.pl?micr5043en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

TFTP Get Clayton Mascarenhas (Mar 18)
- Re: TFTP Get Frank Knobbe (Mar 18)
- Re: TFTP Get Matt Kettler (Mar 18)
  - Re: TFTP Get twig les (Mar 18)
    - Re: TFTP Get Matt Kettler (Mar 18)
    - Re: TFTP Get twig les (Mar 18)
    - Re: TFTP Get Jason Haar (Mar 18)
    - Re: TFTP Get Rich Adamson (Mar 19)
- <Possible follow-ups>
- Re: TFTP Get Clayton Mascarenhas (Mar 18)