[Snort-sigs] SID 329

Anton Chuvakin anton at ...1177...
Wed Feb 12 20:26:02 EST 2003

# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# $Id: snort-sid-template.txt,v 1.1 2002/10/09 13:06:31 cazz Exp $


alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER cybercop
redirection"; flow:to_server,established; content: "@localhost|0A|";
dsize:11; reference:arachnids,11; classtype:attempted-recon; sid:329;

Sid: 329


Summary: A connection laundering attack against the finger daemon


Impact: attacker will obtain information about a third party without a
direct connection to it

Detailed Information:

The signature is triggerred when an attempt to use a machine to run
finger queries against the third party UNIX system is attempted by the
Cybercop vulnerability scanner.  The attack utilizes "finger
forwarding" functionality, normally used to forward queries to a third
party machine. The information is obtained without a direct connection
to the said third party, since the target systems performs a
connection for the attacker. Finger daemon is used to provide
information about the UNIX system users. It used to be installed and
enabled by default on most UNIX/Linux systems. The attack will confirm
that the target host will indeed try to forward queries.


Attack Scenarios: a target machine is being tested for finger
weaknesses by a Cybercop vulnerability scanner


Ease of Attack: very simple, performed by a scanner


False Positives: not known

False Negatives: not known


Corrective Action: disable fingerd daemon or upgrade to a daemon with
no finger forwarding functionality

Contributors: Anton Chuvakin <http://www.chuvakin.org>

Additional References:


More information about the Snort-sigs mailing list