[Snort-sigs] SID 331

Anton Chuvakin anton at ...1177...
Wed Feb 12 20:26:07 EST 2003

# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# $Id: snort-sid-template.txt,v 1.1 2002/10/09 13:06:31 cazz Exp $


alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER cybercop
query"; content: "|0A| "; flow:to_server,established; depth:10;
reference:arachnids,132; reference:cve,CVE-1999-0612;
classtype:attempted-recon; sid:331; rev:6;)

Sid: 331


Summary: An information leak attempt against a finger daemon performed
by a vulnerability scanner


Impact: attacker will obtain information about some accounts on the
target system

Detailed Information:

The signature is triggerred when an attempt to query the finger daemon
is attempted by the Cybercop vulnerability scanner.  Finger daemon is
used to provide information about the UNIX system users. It used to be
installed and enabled by default on most UNIX/Linux systems. The
attack will confirm that the target host will respond to finger


Attack Scenarios: a target machine is being tested for finger
weaknesses by a Cybercop vulnerability scanner


Ease of Attack: very simple, performed by a scanner


False Positives: not known

False Negatives: not known


Corrective Action: disable fingerd daemon or limit the addresses that
can access the service via firewall or TCP wrappers.

Contributors: Anton Chuvakin <http://www.chuvakin.org>

Additional References:


More information about the Snort-sigs mailing list