[Snort-sigs] tftp rules classtypes confusing

Miller, Eoin Miller at ...866...
Wed Apr 9 11:31:08 EDT 2003


I was going through my alerts, and i got a bit freaked for a second, the below rules which i have in my current config for snort 1.9:

alert udp any any -> any 69 (msg:"TFTP GET passwd"; content: "|0001|"; offset:0; depth:2; content:"passwd"; nocase; classtype:successful-admin; sid:1443; rev:1;)

the offending packet log is below:

2003-04-09 13:53:05   SID:1 CID:15551
TFTP GET passwd
[UDP] 207.188.32.1:50146 ->  XXX.XXX.XXX.178:69
00 01 2F 65 74 63 2F 70 61 73 73 77 64 00 6F 63   ../etc/passwd.oc
74 65 74 00 00 00                                 tet...


now what seems to be odd is that the classtype is "successful-admin". it would seem to make more sense to have an "attempted-admin" classification rather than an actual successful attack, being that this isnt a response back from my server, but rather the attempt from the client that triggered this alert.

i am not 100% positive that i am running the latest stable release of rules for snort 1.9, i attempted to download the rules from snort.org but i keep getting 404's everytime i try and download the tarballs.


there are a few other TFTP rules like this as well:

alert udp any any -> any 69 (msg:"TFTP GET Admin.dll"; content: "|0001|"; offset:0; depth:2; content:"admin.dll"; nocase; classtype:successful-admin; reference:url,www.cert.org/advisories/CA-2001-26.html; sid:1289; rev:2;)
alert udp any any -> any 69 (msg:"TFTP GET nc.exe"; content: "|0001|"; offset:0; depth:2; content:"nc.exe"; nocase; classtype:successful-admin; sid:1441; rev:1;)
alert udp any any -> any 69 (msg:"TFTP GET shadow"; content: "|0001|"; offset:0; depth:2; content:"shadow"; nocase; classtype:successful-admin; sid:1442; rev:1;)
alert udp any any -> any 69 (msg:"TFTP GET passwd"; content: "|0001|"; offset:0; depth:2; content:"passwd"; nocase; classtype:successful-admin; sid:1443; rev:1;)





More information about the Snort-sigs mailing list