[Snort-sigs] SID 333

Steven Alexander alexander.s at ...1565...
Fri Jul 11 11:32:24 EDT 2003

Does anyone know more about this rule?  

alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER . query";
flow:to_server,established; content:"."; reference:nessus,10072;
reference:arachnids,130; reference:cve,CAN-1999-0198;
classtype:attempted-recon; sid:333; rev:5;) 

The following are the descriptions given by the associated references.
The first lacks detail and the other two seem to conflict.  

finger . at ...1481... on some systems may print information on some user

There is a bug in the finger service
which will make it display the list of the accounts that
have never been used, when anyone issues the request :

finger . at ...1668...

This event indicates a probe to a finger daemon to check for request
forwarding. This particular signature may be characteristic of Cybercop


More information about the Snort-sigs mailing list