Rule:

--
Sid:
2047

--
Summary:
This event is generated when an attempt is made to access an rsync
module list.

--
Impact:
Information gathering. Possible theft of data.

--
Detailed Information:
rsync is used to synchronize data between two machines across a network.
It achieves this by only sending the differences between the files on 
each host.

Since it does not require both hosts to have the data it is 
synchronizing, it is possible to retrieve a number of files from one 
host without the corresponding files being present on the receiving 
host.

This presents the possibilty of using rsync to receive data from a
protected machine to an external host.

--
Affected Systems:
	All systems using rsync.

--
Attack Scenarios:
The attacker needs to make an rsync request for available modules.

--
Ease of Attack:
Simple

--
False Positives:
Systems using rsync to coordinate sets of data between hosts not in the 
same LAN.

--
False Negatives:
None Known

--
Corrective Action:
Access to files via rsync should be carefully managed using access 
control lists.

The transfer of files from an internal source to an external one should 
be carefully managed using the appropriate firewall rules.

--
Contributors:
Sourcefire Research Team
Brian Caswell <bmc@sourcefire.com>
Nigel Houghton <nigel.houghton@sourcefire.com>

--
Additional References:

rsync Home:
http://samba.anu.edu.au/rsync/

University of Washington:
http://www.washington.edu/imap/buffer.html

--