Rule:--Sid: 1928--Summary:This event is generated when activity relating to spurious ftp traffic is detected on the network.--Impact:Varies from information gathering to a serious compromise of an ftp server.--Detailed Information:FTP is used to transfer files between hosts. This event is indicative ofspurious activity in FTP traffic between hosts.The event may be the result of a transfer of a known protected file or it could be an attempt to compromise the FTP server by overflowing a buffer in the FTP daemon or service.In this case, the rule will generate an event due to the attemptedtransfer of a shadow file. This file is generally used on muli-usersystems to provide greater security for user passwords. This file shouldonly be readable by the super user.--Attack Scenarios:A user may transfer sensitive company information to an external party using FTP. Retrieval of the shadow file may allow a user to crack theencryption scheme used and gain unauthorized access to the host.An attacker might utilize a vulnerability in an FTP daemon to gain access to a host, then upload a Trojan Horse program to gain control of that host.--Ease of Attack:Simple.--False Positives:None Known--False Negatives:None Known--Corrective Action:Disallow access to FTP resources from hosts external to the protected network.Use secure shell (ssh) to transfer files as a replacement for FTP.--Contributors:Sourcefire Vulnerability Research TeamBrian Caswell <brian.caswell@sourcefire.com>Nigel Houghton <nigel.houghton@sourcefire.com>--Additional References:--