[Snort-sigs] SID 332
anton at ...1177...
Wed Feb 12 20:26:10 EST 2003
# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others. References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# $Id: snort-sid-template.txt,v 1.1 2002/10/09 13:06:31 cazz Exp $
alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER 0 query";
flow:to_server,established; content:"0"; reference:nessus,10069;
reference:cve,CAN-1999-0197; classtype:attempted-recon; sid:332;
Summary: An intelligence gathering attack against the finger daemon
Impact: attacker will obtain the list of some accounts existing on the
The signature is triggerred when an attempt to use a finger command
against a host with a username of "0". Such finger query against the
vulnerable finger daemon allows the attacker to obtain a list of some
accounts existing on the target system with some details on each
account (such as time and source of the last login). Knowing the list
of accounts might facilitate a password guessing attacks, email
attacks and other abuse.
Attack Scenarios: an attacker learns that "sys" account exists on the
system. He then proceeds to guess the pasword remotely and connect to
Ease of Attack: very easy, no exploit software required
False Positives: not known
False Negatives: not known
Corrective Action: disable fingerd daemon or limit the addresses that
can access the service via firewall or TCP wrappers.
Contributors: Anton Chuvakin <http://www.chuvakin.org>
More information about the Snort-sigs