# (C) Copyright 2001,2002, Martin Roesch, Brian Caswell, et al.
#    All rights reserved.
# $Id: finger.rules,v 1.17.2.2 2003/02/07 22:04:49 cazz Exp $
#-------------
# FINGER RULES
#-------------
#

alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER cmd_rootsh backdoor attempt"; flow:to_server,established; content:"cmd_rootsh"; classtype:attempted-admin; reference:nessus,10070; reference:cve,CAN-1999-0660; reference:url,www.sans.org/y2k/TFN_toolkit.htm; reference:url,www.sans.org/y2k/fingerd.htm; sid:320; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER account enumeration attempt"; flow:to_server,established; content:"a b c d e f"; nocase; reference:nessus,10788; classtype:attempted-recon; sid:321; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER search query"; flow:to_server,established; content:"search"; reference:cve,CVE-1999-0259; reference:arachnids,375; classtype:attempted-recon; sid:322;  rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER root query"; flow:to_server,established;  content:"root"; reference:arachnids,376; classtype:attempted-recon; sid:323;  rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER null request"; flow:to_server,established; content:"|00|"; reference:arachnids,377; classtype:attempted-recon; sid:324;  rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER remote command \; execution attempt"; flow:to_server,established; content:"|3b|"; reference:cve,CVE-1999-0150; reference:bugtraq,974; reference:arachnids,379; classtype:attempted-user; sid:326;  rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER remote command pipe execution attempt"; flow:to_server,established; content:"|7c|"; reference:cve,CVE-1999-0152; reference:bugtraq,2220; reference:arachnids,380; classtype:attempted-user; sid:327;  rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER bomb attempt"; flow:to_server,established; content:"@@"; reference:arachnids,381; reference:cve,CAN-1999-0106; classtype:attempted-dos; sid:328;  rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER redirection attempt"; flow:to_server,established; content:"@"; reference:nessus,10073; reference:arachnids,251; reference:cve,CAN-1999-0105; classtype:attempted-recon; sid:330; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER cybercop query"; content: "|0A|     "; flow:to_server,established; depth:10; reference:arachnids,132; reference:cve,CVE-1999-0612; classtype:attempted-recon; sid:331; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER 0 query"; flow:to_server,established; content:"0"; reference:nessus,10069; reference:arachnids,378; reference:arachnids,131; reference:cve,CAN-1999-0197; classtype:attempted-recon; sid:332; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER . query"; flow:to_server,established; content:"."; reference:nessus,10072; reference:arachnids,130; reference:cve,CAN-1999-0198; classtype:attempted-recon; sid:333; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER version query"; flow:to_server,established; content:"version"; classtype:attempted-recon; sid:1541; rev:4;)