[Snort-sigs] Re: uncle snort needs you

Warchild warchild at ...288...
Tue Jan 22 18:45:05 EST 2002

# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work. 
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# $Id$

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP passwd retreval
attempt"; content:"RETR"; nocase; content:"passwd"; flags: A+;
reference:arachnids,213; classtype:suspicious-filename-detect; sid:356;


A remote machine attempted to retrieve a file named passwd, or the filename
contained "passwd" in it.

Any machine running an ftp server (typically, a UNIX variant) that stores
it's login/password information in a file named passwd would most likely be
affected.  This will also detect files being retrieved that have filenames
that are suspicious in nature -- in this case, containing the string
"passwd."  Possible variants include "ypcat.passwd.txt", "admin.passwd", or

Detailed Information:
A remote machine attempted to RETRieve a file containing the string
"passwd" in it's name.  In the worst case, someone is attempting to
retrieve a copy of your password file.  Best case would be that the
filename simply contains the string "passwd" upon evaluation reveals
nothing suspcious and was simply poorly named.  Somewhere in the middle
would be a filename that happens to contain the string "passwd" (such as
the examples I gave above) and may contain sensitive information, typically
information regarding login/passwords for your system.  

Attack Scenarios:
If your system serves ftp, you are susceptable to this attack.  Normal
non-chrooted users will typically have read access to the passwd file
anyways, but anonymous ftp users could also break out of a chroot-jail and
potentially gain access to this file.  In a more recent OS, the passwd file
itself (typically, /etc/passwd) will not contain the actual encrypted
password, but the information that can be gleaned from a typical passwd
file (user names, groups, shells, etc) can hint at an impending attack.  In
a system that does store the encrypted passwords in the passwd file
(non-shadow), once an attacker has access to this file, passwords can then
be cracked to further penetrate the system. 

Ease of Attack:
Relatively simple provided your system allows ftp access (be it anonymous
or otherwise).  If your file permissions allow it, nearly any user that has
ftp access to your system can view the passwd file. 

False Positives:
The file being retrieved was poorly named and contains no suspicious data.

False Negatives:
Not detecting retrievals of your real passd file.  This may happen if the
file being retrieved conveniently does not contain the string "passwd" in
it's name, in which case detecting such activity simply by filename is next
to impossible.

Corrective Action:
Investigate to see if the file that was retrieved really was either the
passwd file itself, or was simply a filename containing passwd.

If the former, check ftp logs (if applicable) to see who downloaded the
file, and follow standard threat condition policies.  

If the latter, and the file still exists, examine it to see if the content
is suspicious -- does it contain your passwd file or other sensitive data?

Warchild <warchild at ...288...>
Jon Hart <jhart at ...289...>

More information about the Snort-sigs mailing list