GEN:SID 1:323
Message FINGER root query
Summary This is an intelligence gathering activity.
Impact The attacker may obtain detailed information about the administrative super user account.
Detailed Information This event is generated when an attempt to access information about the administrative account "root" on a UNIX system is made via the finger service.

The information that can be collected includes time and source address of the last login and/or current login sessions, type of shell, path to home directory, mail forwarding address (often reflecting the name of the person administrering the system) and the time when "root" email was last read. This information can be used in planning further attacks against the host.
Affected Systems  
Attack Scenarios The attacker learns that "root" has not logged in for a long time. He hypothesizes that the system is not often used and thus not likely to be patched or secured and may therefore, be vulnerable to a number of other attacks.
Ease of Attack Simple, no exploit software required
Corrective Action Disable the finger daemon or limit the addresses that can access the service via firewall or TCP wrappers.
Additional References Arachnids:
http://www.whitehats.com/info/IDS376
Rule References arachnids: 376