[Snort-sigs] SID 325
anton at ...1177...
Thu Jan 30 20:33:03 EST 2003
# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others. References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# $Id: snort-sid-template.txt,v 1.1 2002/10/09 13:06:31 cazz Exp $
alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER probe 0
Summary: An intelligence gathering attack against the finger daemon
Impact: attacker will obtain the list of some accounts existing on the
The signature is triggerred when an attempt to use a finger command
against a UNIX host with a username of "0" is launched. Such finger query
against the vulnerable finger daemon allows the attacker to obtain a list
of some accounts existing on the target system with some details on each
account (such as time and source of the last login). Knowing the list of
accounts might facilitate a password guessing attacks, email attacks and
Attack Scenarios: an attacker learns that "sys" account exists on the
system. He then proceeds to guess the password remotely and connects to
Ease of Attack: very easy, no exploit software required
False Positives: not known
False Negatives: not known
Corrective Action: disable fingerd daemon or limit the addresses that
can access the service via firewall or TCP wrappers.
Contributors: Anton Chuvakin <http://www.chuvakin.org>
More information about the Snort-sigs