Had a really cool set of sigs from Nathaniel Richmond. These detect TFTP to an external host. As you know a lot of the win32 works out there still use tftp to move binaries after infection, so these are of particular interest. If you're using tftp over the internet (you shouldn't be) don't use these, or set suppression rules for known hosts.
#by Nathaniel Richmond
alert udp $HOME_NET any -> $EXTERNAL_NET 69 (msg:"ET POLICY Outbound TFTP Read Request"; content:"|00 01|"; depth:2; classtype:bad-unknown; sid:2008120; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 69 (msg:"ET POLICY Outbound TFTP Write Request"; content:"|00 02|"; depth:2; classtype:bad-unknown; sid:2008116; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 69 (msg:"ET POLICY Outbound TFTP Data Transfer"; content:"|00 03|"; depth:2; classtype:bad-unknown; sid:2008117; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 69 (msg:"ET POLICY Outbound TFTP ACK"; content:"|00 04|"; depth:2; classtype:bad-unknown; sid:2008118; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 69 (msg:"ET POLICY Outbound TFTP Error Message"; content:"|00 05|"; depth:2; classtype:bad-unknown; sid:2008119; rev:1;)
| < Prev | Next > |
|---|
