Snort mailing list archives

Re: TFTP Get

From: Matt Kettler <mkettler () evi-inc com>
Date: Tue, 18 Mar 2003 20:52:54 -0500

Yes, tftp is unauthenticated. That alone is not grounds to call it "nasty",as so are most http and smtp transactions.

It is however nasty to use it for a situation that you want some security..such as using it to load configs into routers.. I'll agree that's agigantic flaw in cisco's routers that they even support tftp configuration,because someone might actually try to use it across an insecure network..particularly if your config contains ipsec shared secrets... ouch.

However TFTP is perfectly fine and adequate for net-boot where you reallywant anyone and everyone to be able to get a copy of the file without ausername and password. Would you rather net-boot devices use non-auth http?anonymous ftp? Neither of these adds anything but overhead to the process,and said devices don't have any writable storage to put a user-name andpassword for an authenticated download.






At 05:25 PM 3/18/2003 -0800, you wrote:

To add a snippet of info, tftp is nasty traffic because it
doesn't require a username or password.  If you know the
destination host, name of file and where it is on the machine
then you can just ask for it.  Since most tftp servers operate
under "tftpboot" you usually don't have to guess where files
are.  Personally I find it shocking that Cisco still uses tftp
since we SSH to our routers ... and then tftp the entire config?
 Lame.



--- Matt Kettler <mkettler () evi-inc com> wrote:
> If you read the classification it's "potentially bad traffic",
> which should
> be clear that the traffic is possibly bad, but not definitely
> an attack..
> so do not characterize this as an attack, because snort
> certainly did not
> call it that.
>
> TFTP is a very simple, very much not secured file transfer
> protocol. It's
> commonly used for loading configurations into simple devices
> like routers,
> and also for boot-from-network type situations. Being highly
> insecure, it's
> generally only used between two systems which are on the same
> trusted network.
>
> This looks like a boot-from-net type situation, where
> 192.xxx.xxx.xxx
> booted up and was trying to find a TFTP server to download a
> boot image
> from. So it sent a TFTP get request to the broadcast address.
>
> In general if you see TFTP coming in from the internet trying
> to enter your
> lan, it's likely to be malicious, but if you see machines
> inside your lan
> talking in this manner, you should investigate why, but not be
> too overly
> concerned about it. It's most likely some "appliance" type
> device that's
> misconfigured and is trying a network boot. You'll probably
> want to disable
> that for better security, but it's not an attack or a direct
> immediate threat.
>
>
> At 03:53 PM 3/18/2003 -0800, you wrote:
>
> >When does this "TFTP get" attack happen?? The SID-1444 rule
> got triggered.
> >What does this attack mean?? Are there any false positives
> associated with
> >this?? Could this be just a false positive?
> >
> >01/29-00:07:42.588539 [**] [1:1444:2]
>

><file:///C:/Users/Clayton/Research/Attks_in_Snortsnarf/108.X_network/012903/snfout.alert0000-0015.ids/sig/sigsid-1444.html>TFTP

>
> >Get [**] [Classification: Potentially Bad Traffic] [Priority:
> 2] {UDP}
>

><file:///C:/Users/Clayton/Research/Attks_in_Snortsnarf/108.X_network/012903/snfout.alert0000-0015.ids/192/168/0/src192.168.0.237.html>192.xxx.xxx.xxx:<http://www.portsdb.org/bin/portsdb.cgi?portnumber=5454&protocol=UDP>5454

>
> >->
>

><file:///C:/Users/Clayton/Research/Attks_in_Snortsnarf/108.X_network/012903/snfout.alert0000-0015.ids/255/255/255/dest255.255.255.255.html>255.255.255.255:<http://www.portsdb.org/bin/portsdb.cgi?portnumber=69&protocol=UDP>69

> >
> >Thanks.
> >
> >Clayton
> >
> >
> >
> >
> >
> >Do you Yahoo!?
>

><http://rd.yahoo.com/platinum/evt=8162/*http://platinum.yahoo.com/splash.html>Yahoo!

>
> >Platinum - Watch CBS' NCAA March Madness,
>

><http://rd.yahoo.com/platinum/evt=8162/*http://platinum.yahoo.com/splash.html>live

>
> >on your desktop!
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Does your code think in
> ink?
> You could win a Tablet PC. Get a free Tablet PC hat just for
> playing.
> What are you waiting for?
> http://ads.sourceforge.net/cgi-bin/redirect.pl?micr5043en
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


=====
-----------------------------------------------------------
Know yourself and know your enemy and you will never fear defeat.
-----------------------------------------------------------

__________________________________________________
Do you Yahoo!?
Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop!
http://platinum.yahoo.com




-------------------------------------------------------

This SF.net email is sponsored by: Does your code think in ink?You could win a Tablet PC. Get a free Tablet PC hat just for playing.What are you waiting for?

http://ads.sourceforge.net/cgi-bin/redirect.pl?micr5043en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

TFTP Get Clayton Mascarenhas (Mar 18)
- Re: TFTP Get Frank Knobbe (Mar 18)
- Re: TFTP Get Matt Kettler (Mar 18)
  - Re: TFTP Get twig les (Mar 18)
    - Re: TFTP Get Matt Kettler (Mar 18)
    - Re: TFTP Get twig les (Mar 18)
    - Re: TFTP Get Jason Haar (Mar 18)
    - Re: TFTP Get Rich Adamson (Mar 19)
- <Possible follow-ups>
- Re: TFTP Get Clayton Mascarenhas (Mar 18)