Rule:

--
Sid:
1444

--
Summary
This event is generated when a TFTP GET request is made.  This is an indication that someone is attempting to download a file on the server.

--
Impact:
A TFTP GET requests allows a remote attacker to download files on the TFTP server.  If the TFTP server allows anonymous TFTP GET requests it is possible to download any of the published files on the server..

--
Detailed Information:
This rule will generate an event on in-bound TFTP GET requests.  A TFTP GET request is generated when an attempt to download a file from the server is initiated.

--
Attack Scenarios:
Attackers may use TFTP to upload and download files from server that are properly or improperly configured.  Normally attackers attempt to locate TFTP servers using automated scanners and tools.  Once a TFTP server is located an attempt to write files and get files from the TFTP server is made.  Depending on the results of those tests attackers may attempt to further exploit that system, by overwriting system files or downloading password files to access the system.

Cisco ONS platforms allow unauthenticated access to files via TFTP. This event may be generated when an attempt is made to access files on a Cisco device using TFTP.

--
Ease of Attack:
Simple. Numerous tools and automated scripts exist for scanning large subnets for improperly configured TFTP servers.

--
False Positives:
Legitimate TFTP GET requests for polling routers or other network devices may trigger this rule.  

--
False Negatives
None known

--
Corrective Action
The TFTP server should be configured to only allow GET requests from trusted locations.

--
Contributors
Original rule writer unknown
Sourcefire Vulnerability Research Team
Matthew Watchinski <Matt.Watchinski@sourcefire.com>
Nigel Houghton <nigel.houghton@sourcefire.com>

--
Additional References

CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0183

Bugtraq:
http://www.securityfocus.com/bid/9699

--
