GEN:SID 1:329
Message FINGER cybercop redirection
Summary This is an intelligence gathering activity. This event is indicative of a connection laundering attack against the finger daemon
Impact The attacker may obtain information about a third party host without making a direct connection to that host.
Detailed Information The event is generated when an attempt to use a machine to run
finger queries against a third party UNIX system is attempted by the
Cybercop vulnerability scanner.

The attack utilizes "finger forwarding" functionality, normally used to forward queries to a third party machine. The information is obtained without a direct connection to the said third party, since the target system performs a connection to the third party host for the attacker.

The Finger daemon is used to provide information about users on a UNIX system. It used to be installed and enabled by default on most UNIX/Linux systems. The attack if successful, will confirm that the target host will try to forward queries.
Affected Systems  
Attack Scenarios An attacker uses the Cybercop vulnerability scanner to test for this weakness.
Ease of Attack Simple, performed by a scanner
Corrective Action Disable the finger daemon or upgrade to a daemon without finger forwarding functionality

Additional References CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0105

Arachnids:
http://www.whitehats.com/info/IDS11
Rule References arachnids: 11