GEN:SID 1:1443
Message TFTP GET passwd
Summary This event is generated when a TFTP GET request is made for the "passwd"
file.  This could be an indication that a remote attacker has
compromised a system on the network and is transfering sensitive files
back to the attacking system.  It may also be an indication of a generic
TFTP server scan that includes tests for generic system files.
Impact The "passwd" file normally stores users names for Unix based systems.  
If this file is being transfered over the network using TFTP it is
normally an indication of a system compromise.

In some situations this rule may only indicate a generic TFTP scan
attempt, as the attacker may be scanning a large range of IP addresses
for TFTP improperly configured TFTP servers.
Detailed Information This rule searches for the filename "passwd" in TFTP GET requests.  The
"passwd" file is used by Unix based systems to store users names for the
system.
Affected Systems  
Attack Scenarios After a successful system compromise an attacker may setup a tftp
service to transfer files back to the attacking system.  Under this
scenario the source address will point to the attack network and the
destination address will be an address defined in the HOME_NET.

Attackers may also scan large subnets for TFTP servers and make numerous
generic GET request for common system files.
Ease of Attack Simple: Numerous tools and automated scripts exist for scanning large
subnets for improperly configured TFTP servers.
Corrective Action Depending on the situation blocking the attacker at the upstream router
or firewall will eliminate the problem.  However, if the TFTP server is
incorrectly configured and is actually serving the "passwd" file, it
should be configured to only serve specific files from a safe directory.
Additional References