tftp.rules

Revision 1255, 2.5 kB (checked in by mbr, 4 years ago)
updated to Snort-2.3 rules
Property svn:eol-style set to `native` Property svn:keywords set to `Author Date Id Revision`

Line
1	# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
2	# All rights reserved.
3	# $Id$
4	#-----------
5	# TFTP RULES
6	#-----------
7	#
8	# These signatures are based on TFTP traffic. These include malicious files
9	# that are distributed via TFTP.
10	#
11	# The last two signatures refer to generic GET and PUT via TFTP, which is
12	# generally frowned upon on most networks, but may be used in some enviornments
13
14	alert udp any any -> any 69 (msg:"TFTP GET filename overflow attempt"; content:"\|00 01\|"; depth:2; isdataat:100,relative; content:!"\|00\|"; within:100; reference:bugtraq,5328; reference:cve,2002-0813; classtype:attempted-admin; sid:1941; rev:9;)
15	alert udp any any -> any 69 (msg:"TFTP PUT filename overflow attempt"; content:"\|00 02\|"; depth:2; isdataat:100,relative; content:!"\|00\|"; within:100; reference:bugtraq,7819; reference:bugtraq,8505; reference:cve,2003-0380; classtype:attempted-admin; sid:2337; rev:8;)
16	alert udp any any -> any 69 (msg:"TFTP GET Admin.dll"; content:"\|00 01\|"; depth:2; content:"admin.dll"; offset:2; nocase; reference:url,www.cert.org/advisories/CA-2001-26.html; classtype:successful-admin; sid:1289; rev:4;)
17	alert udp any any -> any 69 (msg:"TFTP GET nc.exe"; content:"\|00 01\|"; depth:2; content:"nc.exe"; offset:2; nocase; classtype:successful-admin; sid:1441; rev:4;)
18	alert udp any any -> any 69 (msg:"TFTP GET shadow"; content:"\|00 01\|"; depth:2; content:"shadow"; offset:2; nocase; classtype:successful-admin; sid:1442; rev:4;)
19	alert udp any any -> any 69 (msg:"TFTP GET passwd"; content:"\|00 01\|"; depth:2; content:"passwd"; offset:2; nocase; classtype:successful-admin; sid:1443; rev:4;)
20	alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP parent directory"; content:".."; offset:2; reference:arachnids,137; reference:cve,1999-0183; reference:cve,2002-1209; classtype:bad-unknown; sid:519; rev:6;)
21	alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP root directory"; content:"\|00 01\|/"; depth:3; reference:arachnids,138; reference:cve,1999-0183; classtype:bad-unknown; sid:520; rev:5;)
22	alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP Put"; content:"\|00 02\|"; depth:2; reference:arachnids,148; reference:cve,1999-0183; classtype:bad-unknown; sid:518; rev:6;)
23	alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP Get"; content:"\|00 01\|"; depth:2; classtype:bad-unknown; sid:1444; rev:3;)
24	alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP NULL command attempt"; content:"\|00 00\|"; depth:2; reference:bugtraq,7575; classtype:bad-unknown; sid:2339; rev:2;)

Note: See TracBrowser for help on using the browser.

Download in other formats:

Original Format