[Snort-sigs] SID 323

Anton Chuvakin anton at ...1177...
Fri Jan 24 15:41:04 EST 2003

# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# $Id: snort-sid-template.txt,v 1.1 2002/10/09 13:06:31 cazz Exp $


alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER root query";
flow:to_server,established; content:"root"; reference:arachnids,376;
classtype:attempted-recon; sid:323; rev:4;)

Sid: 323


Summary: An intelligence gathering attack against the finger daemon


Impact: attacker will obtain the detailed information about the
administrative user account.

Detailed Information:

The signature is triggerred when an attempt to access the information
on the administrative account "root" on a UNIX system is made via the
finger service. The information that can be collected includes time
and source address of the last login and/or of current login sessions,
type of shell, path to home directory, mail forwarding address (often
reflecting the name of the person administrering the system) and the
time when "root" email was last read. This information can be used in
the attack planning


Attack Scenarios: an attacker learns that "root" has not logged in for
a long time. He hypothesizes that the system is not often used and
thus not likely secured.


Ease of Attack: very easy, no exploit software required


False Positives: not known

False Negatives: not known


Corrective Action: disable fingerd daemon or limit the addresses that
can access the service via firewall or TCP wrappers.

Contributors: Anton Chuvakin <http://www.chuvakin.org>

Additional References:


More information about the Snort-sigs mailing list