[Snort-sigs] SID 329

# This is a template for submitting snort signature descriptions to

Rule:

alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER cybercop redirection"; flow:to_server,established; content: "@localhost|0A|"; dsize:11; reference:arachnids,11; classtype:attempted-recon; sid:329; rev:6;)

--
Sid: 329

-- 

Summary: A connection laundering attack against the finger daemon

-- 

Impact: attacker will obtain information about a third party without a
direct connection to it

--
Detailed Information:

The signature is triggerred when an attempt to use a machine to run
finger queries against the third party UNIX system is attempted by the
Cybercop vulnerability scanner.  The attack utilizes "finger
forwarding" functionality, normally used to forward queries to a third
party machine. The information is obtained without a direct connection
to the said third party, since the target systems performs a
connection for the attacker. Finger daemon is used to provide
information about the UNIX system users. It used to be installed and
enabled by default on most UNIX/Linux systems. The attack will confirm
that the target host will indeed try to forward queries.

--

Attack Scenarios: a target machine is being tested for finger
weaknesses by a Cybercop vulnerability scanner

-- 

Ease of Attack: very simple, performed by a scanner

-- 

False Positives: not known

--
False Negatives: not known

-- 

Corrective Action: disable fingerd daemon or upgrade to a daemon with
no finger forwarding functionality


--
Contributors: Anton Chuvakin <
http://www.chuvakin.org>

-- 
Additional References:
http://www.whitehats.com/info/IDS11http://www.iss.net/security_center/advice/Intrusions/2001102/default.htm




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs