[Snort-sigs] SID 331

Anton Chuvakin anton at ...1177...
Wed Feb 12 20:26:07 EST 2003


# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
#
# $Id: snort-sid-template.txt,v 1.1 2002/10/09 13:06:31 cazz Exp $
#
#

Rule:

alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER cybercop
query"; content: "|0A| "; flow:to_server,established; depth:10;
reference:arachnids,132; reference:cve,CVE-1999-0612;
classtype:attempted-recon; sid:331; rev:6;)

--
Sid: 331

-- 

Summary: An information leak attempt against a finger daemon performed
by a vulnerability scanner

-- 

Impact: attacker will obtain information about some accounts on the
target system

--
Detailed Information:

The signature is triggerred when an attempt to query the finger daemon
is attempted by the Cybercop vulnerability scanner.  Finger daemon is
used to provide information about the UNIX system users. It used to be
installed and enabled by default on most UNIX/Linux systems. The
attack will confirm that the target host will respond to finger
queries.

--

Attack Scenarios: a target machine is being tested for finger
weaknesses by a Cybercop vulnerability scanner

-- 

Ease of Attack: very simple, performed by a scanner

-- 

False Positives: not known

--
False Negatives: not known

-- 

Corrective Action: disable fingerd daemon or limit the addresses that
can access the service via firewall or TCP wrappers.


--
Contributors: Anton Chuvakin <http://www.chuvakin.org>

-- 
Additional References:

http://www.whitehats.com/info/IDS132
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0612






More information about the Snort-sigs mailing list