[Snort-sigs] SID 328

Anton Chuvakin anton at ...1177...
Thu Jan 30 20:40:01 EST 2003


# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
#
# $Id: snort-sid-template.txt,v 1.1 2002/10/09 13:06:31 cazz Exp $
#
#

Rule:

alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER bomb
attempt"; flow:to_server,established; content:"@@";
reference:arachnids,381; reference:cve,CAN-1999-0106;
classtype:attempted-dos; sid:328; rev:5;)

--
Sid: 328

-- 

Summary: A Denial-of-Service attack against a finger daemon

-- 

Impact: attacker will overload the target machine or crash the finger daemon

--
Detailed Information:

The signature is triggerred when a specifially crafted finger query is
directed at a target UNIX machine. Finger daemon is used to provide
information about the UNIX system users. It used to be installed and
enabled by default on most UNIX/Linux systems.  The attack will crash or
overload the vulnerable machines by causing the finger daemon to go into a
loop. The attack abuses the buggy "finger forwarding"  functionality,
normally used to forward queries to a third partuy machine (a security
risk in itself).

--

Attack Scenarios: an attacker runs an attack and slows the machine
down

-- 

Ease of Attack: very simple, no exploit software is required, just a
specially formatted finger query

-- 

False Positives: not known

--
False Negatives: not known

-- 

Corrective Action: disable fingerd daemon, patch it or limit the addresses
that can access the service via firewall or TCP wrappers.

--
Contributors: Anton Chuvakin <http://www.chuvakin.org>

-- 
Additional References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0106
http://www.whitehats.com/info/IDS381
http://www.iss.net/security_center/advice/Intrusions/2001103/default.htm





More information about the Snort-sigs mailing list