GEN:SID 1:322
Message FINGER search query
Summary This event is genrated when an attempt is made to query the finger daemon to ascertain a list of usernames on a system.
Impact Information gatthering, the attacker may obtain the list of some accounts existing on the victim system as a prelude to further compromize.
Detailed Information The rule is triggerred when an attempt to use a search feature in
"cfingerd" version of a finger daemon is attempted. The search feature
allows the attacker to obtain the lists of accounts existing on the
target system by issuing a specially crafted finger request to
"search" for information. Knowing the list of accounts might
facilitate a password guessing attacks, email attacks or other abuse.
Affected Systems  
Attack Scenarios an attacker learns that "guest" account exists and
has never been used. He then guesses that the password for this
account and logs in to the system remotely using telnet.
Ease of Attack Simple, no exploit software required
Corrective Action Look for other IDS events involving the same IP addresses.

Look for suspicious logins to the affected system.

Disable the finger daemon or apply a vendor patch that removes the vulnerability
Additional References Arachnids:
http://www.whitehats.com/info/IDS375

CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0259
Rule References arachnids: 375
cve: 1999-0259