Rules: Outbound TFTP Traffic
TFTP is rarely used externally and has been observed as a means to deliver malicious code from the outside.
Detail | Value |
---|---|
Type | Match |
Category | Execution |
Apply Risk to Entities | device_ip, user_username, device_hostname, srcDevice_ip |
Signal Name | Outbound TFTP Traffic |
Summary Expression | Outbound TFTP traffic from IP: {{srcDevice_ip}} to IP: {{dstDevice_ip}} |
Score/Severity | Static: 5 |
Enabled by Default | True |
Prototype | False |
Tags | _mitreAttackTactic:TA0002, _mitreAttackTactic:TA0011, _mitreAttackTechnique:T1071, _mitreAttackTechnique:T1071.002 |
- Bro - Bro
- Cisco Systems - ASA
- Cisco Systems - Firepower
- Cisco Systems - Meraki
- Dell - Firewall
- Palo Alto Networks - Next Generation Firewall
Origin | Field |
---|---|
Normalized Schema | device_hostname |
Normalized Schema | device_ip |
Normalized Schema | dstDevice_ip_isInternal |
Normalized Schema | dstPort |
Normalized Schema | ipProtocol |
Normalized Schema | listMatches |
Normalized Schema | srcDevice_ip |
Normalized Schema | srcDevice_ip_isInternal |
Normalized Schema | user_username |