cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
299
Views
0
Helpful
3
Replies

false +ve for TFTP Filename Buffer Overflow

darin.marais
Level 4
Level 4

I am receiving quite a few false +ve for this signature.

The signature should only fire when it is sent to service port = 69 but I receive the signature for other ports. The table below show fields from the log file captured at the sensor. Fields 18 and 19 are the src and dst ports

I am using signature update s49. I have included my signature description below as it was captured from the sensor. Is any one else on the list seeing this?

| cut -d , -f13,16,17,18,19 | sort | uniq

ALARM DESCRIPTION id, SRC IP, DST IP, SRCPORT,DSTPORT

4613,my.server,131.175.60.253,0,1650

4613,my.server,137.193.222.54,0,1864

4613,my.server,139.92.143.102,0,1769

4613,my.server,139.92.226.158,0,1175

4613,my.server,151.27.11.21,0,1087

4613,my.server,158.169.162.91,0,2201

4613,my.server,158.169.162.91,0,2209

4613,my.server,193.121.57.2,0,1543

4613,my.server,193.159.69.227,0,3472

4613,my.server,193.2.52.201,0,1839

4613,my.server,193.77.156.161,0,1735

4613,my.server,194.196.100.34,0,1482

4613,my.server,194.196.100.34,0,2418

4613,my.server,194.196.100.34,0,3341

4613,my.server,194.228.225.131,0,3099

4613,my.server,194.254.77.154,0,4905

4613,my.server,194.52.86.124,0,1267

4613,my.server,194.67.183.7,0,1955

4613,my.server,194.78.198.254,0,47853

4613,my.server,195.103.110.131,0,1266

4613,my.server,195.197.189.73,0,4974

4613,my.server,195.251.117.169,0,3147

4613,my.server,195.85.176.78,0,2512

4613,my.server,202.123.161.241,0,7000

4613,my.server,203.135.9.247,0,3610

Current Signature: Engine STRING.UDP SIGID 4613

SigName: TFTP Filename Buffer Overflow

0 - Edit ALL Parameters

1 - AlarmInterval =

2 - AlarmThrottle = FireAll

3 - ChokeThreshold =

4 - Direction = ToService

5 - FlipAddr =

6 - LimitSummary =

7 - MaxInspectLength =

8 - MinHits =

9 - MinMatchLength =

10 - ResetAfterIdle = 15

11 * ServicePorts = 69

12 - SigComment =

13 - SigStringInfo = GET/PUT filename

14 - ThrottleInterval = 15

>nrvers

Application Versions for ??.??

The Version of the Sensor is: 3.1(3)S49

postoffice v220 (Release) 01/12/14-20:01

fileXfer v175 (Release) 01/07/11-21:48

logger v220 (Release) 01/12/14-19:59

sap v220 (Release) 01/12/14-20:01

sensor v262 (Release) 02/05/08-17:28

manage v220 (Release) 01/12/14-20:00

3 Replies 3

darin.marais
Level 4
Level 4

Is no one else on the list seeing this problem?

Can anyone tell me what the "*" means next to ServicePorts = 69.

Where in the signature does it look for non-printable characters and what non-printable characters does the signature look for?

This is a response to both of your posts. First, you will notice the source port for all of your alarms is 0. This is known bug in 3.1(3). There is a 3.1(4) service pack that will fix this problem. Second, the "*" next to the ServicePorts parameter means that it is a required field. Lastly, we define non-printable characters as those in the ASCII range of \x80 to \xFF. These characters may indicate the precense of shell code in the filename of a TFTP request. A false postive is possible if non-ASCII character sets are used, but this is a rare occurrence in our experience.

Hi Matthew,

Thanks for the reply. I guess that I should have read the readme.txt before I posted the question. Thanks once again. The assistance is very appreciated

Regards

Darin

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: