Generated by : ../snort_rule_urlchecker version Thu Dec 1 22:06:24 PST 2005

Which may be found at http://www.grotto-group.com/~gulfie/projects... maybe

./snortrules-VRT_PR-2.4/rules/tftp.rules Fri Dec 2 01:26:48 2005
Filename : line Rules
./snortrules-VRT_PR-2.4/rules/tftp.rules : 1 # Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved
./snortrules-VRT_PR-2.4/rules/tftp.rules : 2 #
./snortrules-VRT_PR-2.4/rules/tftp.rules : 3 # This file may contain proprietary rules that were created, tested and
./snortrules-VRT_PR-2.4/rules/tftp.rules : 4 # certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as
./snortrules-VRT_PR-2.4/rules/tftp.rules : 5 # rules that were created by Sourcefire and other third parties and
./snortrules-VRT_PR-2.4/rules/tftp.rules : 6 # distributed under the GNU General Public License (the "GPL Rules"). The
./snortrules-VRT_PR-2.4/rules/tftp.rules : 7 # VRT Certified Rules contained in this file are the property of
./snortrules-VRT_PR-2.4/rules/tftp.rules : 8 # Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved.
./snortrules-VRT_PR-2.4/rules/tftp.rules : 9 # The GPL Rules created by Sourcefire, Inc. are the property of
./snortrules-VRT_PR-2.4/rules/tftp.rules : 10 # Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights
./snortrules-VRT_PR-2.4/rules/tftp.rules : 11 # Reserved. All other GPL Rules are owned and copyrighted by their
./snortrules-VRT_PR-2.4/rules/tftp.rules : 12 # respective owners (please see www.snort.org/contributors for a list of
./snortrules-VRT_PR-2.4/rules/tftp.rules : 13 # owners and their respective copyrights). In order to determine what
./snortrules-VRT_PR-2.4/rules/tftp.rules : 14 # rules are VRT Certified Rules or GPL Rules, please refer to the VRT
./snortrules-VRT_PR-2.4/rules/tftp.rules : 15 # Certified Rules License Agreement.
./snortrules-VRT_PR-2.4/rules/tftp.rules : 16 #
./snortrules-VRT_PR-2.4/rules/tftp.rules : 17 #
./snortrules-VRT_PR-2.4/rules/tftp.rules : 18 # $Id: tftp.rules,v 1.19.2.1.2.2 2005/07/22 19:19:54 mwatchinski Exp $
./snortrules-VRT_PR-2.4/rules/tftp.rules : 19 #-----------
./snortrules-VRT_PR-2.4/rules/tftp.rules : 20 # TFTP RULES
./snortrules-VRT_PR-2.4/rules/tftp.rules : 21 #-----------
./snortrules-VRT_PR-2.4/rules/tftp.rules : 22 #
./snortrules-VRT_PR-2.4/rules/tftp.rules : 23 # These signatures are based on TFTP traffic. These include malicious files
./snortrules-VRT_PR-2.4/rules/tftp.rules : 24 # that are distributed via TFTP.
./snortrules-VRT_PR-2.4/rules/tftp.rules : 25 #
./snortrules-VRT_PR-2.4/rules/tftp.rules : 26 # The last two signatures refer to generic GET and PUT via TFTP, which is
./snortrules-VRT_PR-2.4/rules/tftp.rules : 27 # generally frowned upon on most networks, but may be used in some enviornments
./snortrules-VRT_PR-2.4/rules/tftp.rules : 28
./snortrules-VRT_PR-2.4/rules/tftp.rules : 29 alert udp any any -> any 69 (msg:"TFTP GET filename overflow attempt"; content:"|00 01|"; depth:2; isdataat:100,relative; content:!"|00|"; within:100; reference:bugtraq,5328; reference:cve,2002-0813; classtype:attempted-admin; sid:1941; rev:9;)
./snortrules-VRT_PR-2.4/rules/tftp.rules : 30 alert udp any any -> any 69 (msg:"TFTP PUT filename overflow attempt"; content:"|00 02|"; depth:2; isdataat:100,relative; content:!"|00|"; within:100; reference:bugtraq,7819; reference:bugtraq,8505; reference:cve,2003-0380; classtype:attempted-admin; sid:2337; rev:8;)
./snortrules-VRT_PR-2.4/rules/tftp.rules : 31 alert udp any any - > any 69 (msg:"TFTP GET Admin.dll"; content:"|00 01|"; depth:2; content:"admin.dll"; offset:2; nocase; reference:url,www.cert.org/advisories/CA-2001-26.html; classtype:successful-admin; sid:1289; rev:4;)
./snortrules-VRT_PR-2.4/rules/tftp.rules : 32 alert udp any any -> any 69 (msg:"TFTP GET nc.exe"; content:"|00 01|"; depth:2; content:"nc.exe"; offset:2; nocase; classtype:successful-admin; sid:1441; rev:4;)
./snortrules-VRT_PR-2.4/rules/tftp.rules : 33 alert udp any any -> any 69 (msg:"TFTP GET shadow"; content:"|00 01|"; depth:2; content:"shadow"; offset:2; nocase; classtype:successful-admin; sid:1442; rev:4;)
./snortrules-VRT_PR-2.4/rules/tftp.rules : 34 alert udp any any -> any 69 (msg:"TFTP GET passwd"; content:"|00 01|"; depth:2; content:"passwd"; offset:2; nocase; classtype:successful-admin; sid:1443; rev:4;)
./snortrules-VRT_PR-2.4/rules/tftp.rules : 35 alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP parent directory"; content:".."; offset:2; reference:arachnids,137; reference:cve,1999-0183; reference:cve,2002-1209; classtype:bad-unknown; sid:519; rev:6;)
./snortrules-VRT_PR-2.4/rules/tftp.rules : 36 alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP root directory"; content:"|00 01|/"; depth:3; reference:arachnids,138; reference:cve,1999-0183; classtype:bad-unknown; sid:520; rev:5;)
./snortrules-VRT_PR-2.4/rules/tftp.rules : 37 alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP Put"; content:"|00 02|"; depth:2; reference:arachnids,148; reference:cve,1999-0183; classtype:bad-unknown; sid:518; rev:6;)
./snortrules-VRT_PR-2.4/rules/tftp.rules : 38 alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP Get"; content:"|00 01|"; depth:2; classtype:bad-unknown; sid:1444; rev:3;)
./snortrules-VRT_PR-2.4/rules/tftp.rules : 39 alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP NULL command attempt"; content:"|00 00|"; depth:2; reference:bugtraq,7575; classtype:bad-unknown; sid:2339; rev:2;)
./snortrules-VRT_PR-2.4/rules/tftp.rules : 40 alert udp any any -> any 69 (msg:"TFTP GET transfer mode overflow attempt"; content:"|00 01|"; content:"|00|"; distance:1; isdataat:100,relative; content:!"|00|"; within:100; reference:bugtraq,13821; reference:cve,2005-1812; classtype:attempted-admin; sid:3817; rev:1;)
./snortrules-VRT_PR-2.4/rules/tftp.rules : 41 alert udp any any -> any 69 (msg:"TFTP PUT transfer mode overflow attempt"; content:"|00 02|"; content:"|00|"; distance:1; isdataat:100,relative; content:!"|00|"; within:100; reference:bugtraq,13821; reference:cve,2005-1812; classtype:attempted-admin; sid:3818; rev:1;)