[Snort-sigs] SID 333

Matt Kettler mkettler at ...189...
Fri Jul 11 16:46:09 EDT 2003

At 11:32 AM 7/11/2003 -0700, Steven Alexander wrote:
>Does anyone know more about this rule?
>alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER . query";
>flow:to_server,established; content:"."; reference:nessus,10072;
>reference:arachnids,130; reference:cve,CAN-1999-0198;
>classtype:attempted-recon; sid:333; rev:5;)
>The following are the descriptions given by the associated references.
>The first lacks detail and the other two seem to conflict.

Actually the short description at whitehats conflicts, however the 
"research" section of the same site is in total agreement with nessus. I'm 
not sure why the short description contains the term "request forwarding", 
probably a copy-past artifact.

The "request forwarding" issue is where you do finger at ...1669...@yourplace. 
This basically causes your server to forward the finger request to 
"someplace", but is completely unrelated to this rule, and completely 
unrelated to the research presented under arachnids #130.

  The issue here is finger . at ...1670..., which is a "list users that have 
never logged in" issue.


More information about the Snort-sigs mailing list