alert udp $HOME_NET any -> [$EXTERNAL_NET,!255.255.255.255] 69 (msg:"ET TFTP Outbound TFTP Read Request"; content:"|00 01|"; depth:2; reference:url,doc.emergingthreats.net/2008120; classtype:policy-violation; sid:2008120; rev:4;)

Added 2017-01-12 17:36:21 UTC


alert udp $HOME_NET any -> $EXTERNAL_NET 69 (msg:"ET TFTP Outbound TFTP Read Request"; content:"|00 01|"; depth:2; reference:url,doc.emergingthreats.net/2008120; classtype:policy-violation; sid:2008120; rev:3;)

Added 2011-10-12 19:24:28 UTC

Dear ET

1)Please consider rule modification. All cisco SMB switches has auto configuration feature. During normal behavior (in some states) Cisco switch can generate broadcast message to find default configuration. Please look at attached screenshot. Special broadcast (255.255.255.255) should be excluded from destination.

2) Please consider one more rule modification. For our several clients we found that they have network devices with pre-payed VONAGE VoIP? service. Device with such service is doing TFTP request to obtain configuration (xml file request). IP address of remote servers are: 69.59.239.26, 69.59.239.27, 69.59.239.28 and 69.59.239.29 (https://www.robtex.com/dns-lookup/tftp.vonage.net). I attached screenshot from PCAP. Pleas add an exception for vonage.net

Thanks. Regards!

-- MaksymParpaley - 2017-01-04

Dear ET Are you planning to add a negation for these FP described above ? Regards

-- MaksymParpaley - 2017-01-11


alert udp $HOME_NET any -> $EXTERNAL_NET 69 (msg:"ET TFTP Outbound TFTP Read Request"; content:"|00 01|"; depth:2; classtype:policy-violation; reference:url,doc.emergingthreats.net/2008120; sid:2008120; rev:3;)

Added 2011-09-14 22:37:57 UTC


alert udp $HOME_NET any -> $EXTERNAL_NET 69 (msg:"ET TFTP Outbound TFTP Read Request"; content:"|00 01|"; depth:2; classtype:policy-violation; reference:url,doc.emergingthreats.net/2008120; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_TFTP; sid:2008120; rev:3;)

Added 2011-02-04 17:27:13 UTC


alert udp $HOME_NET any -> $EXTERNAL_NET 69 (msg:"ET POLICY Outbound TFTP Read Request"; content:"|00 01|"; depth:2; classtype:policy-violation; reference:url,doc.emergingthreats.net/2008120; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_TFTP; sid:2008120; rev:3;)

Added 2009-09-15 12:00:41 UTC


alert udp $HOME_NET any -> $EXTERNAL_NET 69 (msg:"ET POLICY Outbound TFTP Read Request"; content:"|00 01|"; depth:2; classtype:policy-violation; reference:url,doc.emergingthreats.net/2008120; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_TFTP; sid:2008120; rev:3;)

Added 2009-09-15 12:00:41 UTC


alert udp $HOME_NET any -> $EXTERNAL_NET 69 (msg:"ET POLICY Outbound TFTP Read Request"; content:"|00 01|"; depth:2; classtype:bad-unknown; reference:url,doc.emergingthreats.net/2008120; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_TFTP; sid:2008120; rev:2;)

Added 2009-02-11 19:15:24 UTC


alert udp $HOME_NET any -> $EXTERNAL_NET 69 (msg:"ET POLICY Outbound TFTP Read Request"; content:"|00 01|"; depth:2; classtype:bad-unknown; reference:url,doc.emergingthreats.net/2008120; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_TFTP; sid:2008120; rev:2;)

Added 2009-02-11 19:15:24 UTC


alert udp $HOME_NET any -> $EXTERNAL_NET 69 (msg:"ET POLICY Outbound TFTP Read Request"; content:"|00 01|"; depth:2; classtype:bad-unknown; sid:2008120; rev:1;)

Added 2008-04-09 09:23:49 UTC


Topic revision: r3 - 2017-01-11 - MaksymParpaley
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats