[Snort-sigs] SID 518

Warchild warchild at ...288...
Thu Feb 7 18:25:02 EST 2002

alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP Write";
content:"|00 02|"; depth:2; reference:cve,CVE-1999-0
183; reference:arachnids,148; classtype:bad-unknown; sid:518; rev:2;)


A remote machine attempted to write files to your tftp directory.

Potential abuse my "warez" sites, or malicious users looking for an
easy place to store files for later retrieval.

Detailed Information:
The trivial file transfer program (tftp) provides a crude way for
files to be up/downloaded, but without the use of authentication.
This rule will detect a tftp write command, indicating the (attempted)
upload of a file to your host.

Attack Scenarios:
As part of a potential attack, a potential intruder may attempt to
determine the configuration of your tftp server, or potentially use
your host as a file cache as part of a warez network, exploit
repository, or other reasons. 

Ease of Attack:
Trivial.  Nearly all win32 and *nix clients provide tftp clients to
their users.

False Positives:

False Negatives:

Corrective Action:
Ensure that your tftp directory is not writable by anonymous users,
and if it is, ensure that you have good reason for doing so.
Additionally, determine if tftp access to this machine is indeed
necesary.  Finally, determine what (if any) files were transfered.

Jon Hart <jhart at ...289...>
Warchild <warchild at ...288...>

Additional References:

More information about the Snort-sigs mailing list