[Snort-sigs] SID 323

Brian bmc at ...95...
Sun Jan 26 16:37:02 EST 2003


Thanks for filling out all this rule documentation.  While these need a
bit of cleanup, its great that you are doing all this work.  Thanks.

-brian

On Fri, Jan 24, 2003 at 06:40:01PM -0500, Anton Chuvakin wrote:
> # This is a template for submitting snort signature descriptions to
> # the snort.org website
> #
> # Ensure that your descriptions are your own
> # and not the work of others.  References in the rules themselves
> # should be used for linking to other's work.
> #
> # If you are unsure of some part of a rule, use that as a commentary
> # and someone else perhaps will be able to fix it.
> #
> # $Id: snort-sid-template.txt,v 1.1 2002/10/09 13:06:31 cazz Exp $
> #
> #
> 
> Rule:
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER root query";
> flow:to_server,established; content:"root"; reference:arachnids,376;
> classtype:attempted-recon; sid:323; rev:4;)
> 
> --
> Sid: 323
> 
> -- 
> 
> Summary: An intelligence gathering attack against the finger daemon
> 
> -- 
> 
> Impact: attacker will obtain the detailed information about the
> administrative user account.
> 
> --
> Detailed Information:
> 
> The signature is triggerred when an attempt to access the information
> on the administrative account "root" on a UNIX system is made via the
> finger service. The information that can be collected includes time
> and source address of the last login and/or of current login sessions,
> type of shell, path to home directory, mail forwarding address (often
> reflecting the name of the person administrering the system) and the
> time when "root" email was last read. This information can be used in
> the attack planning
> 
> --
> 
> Attack Scenarios: an attacker learns that "root" has not logged in for
> a long time. He hypothesizes that the system is not often used and
> thus not likely secured.
> 
> -- 
> 
> Ease of Attack: very easy, no exploit software required
> 
> -- 
> 
> False Positives: not known
> 
> --
> False Negatives: not known
> 
> -- 
> 
> Corrective Action: disable fingerd daemon or limit the addresses that
> can access the service via firewall or TCP wrappers.
> 
> --
> Contributors: Anton Chuvakin <http://www.chuvakin.org>
> 
> -- 
> Additional References:
> 
> http://www.whitehats.com/info/IDS376
> 
> 
> 
> -------------------------------------------------------
> This SF.NET email is sponsored by:
> SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
> http://www.vasoftware.com
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 




More information about the Snort-sigs mailing list