GEN:SID 1:1867
Message MISC xdmcp info query
Summary This event is generated when a remote user attempts to query the X Display Manager Control Protocol (XDMCP).
Impact Reconnaissance.  An attacker may obtain a list of usernames on the remote host.
Detailed Information The KDE Display Manager (KDM) provides a network protocol XDMCP to supply a graphical login screen.  It is possible to use this protocol to list the users on the remote host running XDMCP.  This provides reconnaissance and may be a precursor of attempting a brute force password attack of the revealed usernames.
Affected Systems Any host running XDMCP.
Attack Scenarios An attacker may obtain a list of current usernames on the remote host as a precursor of attempting a brute force attack to guess passwords of those users.
Ease of Attack Simple.
Corrective Action Block inbound XDMCP traffic.

Disable XDMCP as a listening service on the remote host unless it is required.
Additional References Arachnids:
http://www.whitehats.com/info/IDS476

Nessus:
http://cgi.nessus.org/plugins/dump.php3?id=10891
Rule References nessus: 10891