[Snort-sigs] SID 333

Steven Alexander alexander.s at ...1565...
Fri Jul 11 11:32:24 EDT 2003


Does anyone know more about this rule?  

alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER . query";
flow:to_server,established; content:"."; reference:nessus,10072;
reference:arachnids,130; reference:cve,CAN-1999-0198;
classtype:attempted-recon; sid:333; rev:5;) 

The following are the descriptions given by the associated references.
The first lacks detail and the other two seem to conflict.  

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0198
finger . at ...1481... on some systems may print information on some user
accounts.

http://cgi.nessus.org/plugins/dump.php3?id=10072
There is a bug in the finger service
which will make it display the list of the accounts that
have never been used, when anyone issues the request :

finger . at ...1668...

http://www.whitehats.com/info/IDS130
This event indicates a probe to a finger daemon to check for request
forwarding. This particular signature may be characteristic of Cybercop
scanner.  

-steven





More information about the Snort-sigs mailing list