[Snort-sigs] SID 323
anton at ...1177...
Fri Jan 24 15:41:04 EST 2003
# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others. References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# $Id: snort-sid-template.txt,v 1.1 2002/10/09 13:06:31 cazz Exp $
alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER root query";
flow:to_server,established; content:"root"; reference:arachnids,376;
classtype:attempted-recon; sid:323; rev:4;)
Summary: An intelligence gathering attack against the finger daemon
Impact: attacker will obtain the detailed information about the
administrative user account.
The signature is triggerred when an attempt to access the information
on the administrative account "root" on a UNIX system is made via the
finger service. The information that can be collected includes time
and source address of the last login and/or of current login sessions,
type of shell, path to home directory, mail forwarding address (often
reflecting the name of the person administrering the system) and the
time when "root" email was last read. This information can be used in
the attack planning
Attack Scenarios: an attacker learns that "root" has not logged in for
a long time. He hypothesizes that the system is not often used and
thus not likely secured.
Ease of Attack: very easy, no exploit software required
False Positives: not known
False Negatives: not known
Corrective Action: disable fingerd daemon or limit the addresses that
can access the service via firewall or TCP wrappers.
Contributors: Anton Chuvakin <http://www.chuvakin.org>
More information about the Snort-sigs