[Snort-sigs] SID 520
warchild at ...288...
Thu Feb 7 18:27:02 EST 2002
alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP root
directory"; content:"|0001|/"; reference:arachnids,138;
reference:cve,CVE-1999-0183; classtype:bad-unknown; sid:520; rev:2;)
A remote host attempted to get to the root directory as part of a
Little or none, so long as your tftp server is properly configured and
does not allow access to the root directory. If this _is_
allowed, any files that the user the tftpd daemon runs as (typically
"nobody") may be accessed allowing further information to be gleaned
about your system.
warchild at ...351...
[~/txt]$ tftp localhost
tftp> get /etc/hosts
Ease of Attack:
Trivial. Nearly all windows and *nix clients provide tftp clients.
Legitimate uploading of files may trigger this rule inappropriately.
Determine whether or not the file attempted to be up/downloaded was
successful, and if access to the root directory is possible.
Jon Hart <jhart at ...289...>
Warchild <warchild at ...288...>
More information about the Snort-sigs