[Snort-sigs] SID 331
anton at ...1177...
Wed Feb 12 20:26:07 EST 2003
# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others. References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# $Id: snort-sid-template.txt,v 1.1 2002/10/09 13:06:31 cazz Exp $
alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER cybercop
query"; content: "|0A| "; flow:to_server,established; depth:10;
classtype:attempted-recon; sid:331; rev:6;)
Summary: An information leak attempt against a finger daemon performed
by a vulnerability scanner
Impact: attacker will obtain information about some accounts on the
The signature is triggerred when an attempt to query the finger daemon
is attempted by the Cybercop vulnerability scanner. Finger daemon is
used to provide information about the UNIX system users. It used to be
installed and enabled by default on most UNIX/Linux systems. The
attack will confirm that the target host will respond to finger
Attack Scenarios: a target machine is being tested for finger
weaknesses by a Cybercop vulnerability scanner
Ease of Attack: very simple, performed by a scanner
False Positives: not known
False Negatives: not known
Corrective Action: disable fingerd daemon or limit the addresses that
can access the service via firewall or TCP wrappers.
Contributors: Anton Chuvakin <http://www.chuvakin.org>
More information about the Snort-sigs