[Snort-sigs] SID 333
alexander.s at ...1565...
Fri Jul 11 11:32:24 EDT 2003
Does anyone know more about this rule?
alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER . query";
flow:to_server,established; content:"."; reference:nessus,10072;
classtype:attempted-recon; sid:333; rev:5;)
The following are the descriptions given by the associated references.
The first lacks detail and the other two seem to conflict.
finger . at ...1481... on some systems may print information on some user
There is a bug in the finger service
which will make it display the list of the accounts that
have never been used, when anyone issues the request :
finger . at ...1668...
This event indicates a probe to a finger daemon to check for request
forwarding. This particular signature may be characteristic of Cybercop
More information about the Snort-sigs