File: 1446.txt

package info (click to toggle)
snort 2.7.0-20.4
  • links: PTS
  • area: main
  • in suites: lenny
  • size: 34,512 kB
  • ctags: 18,772
  • sloc: ansic: 115,404; sh: 10,893; makefile: 1,372; perl: 487; sql: 213
file content (68 lines) | stat: -rw-r--r-- 1,448 bytes parent folder | download | duplicates (6)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
Rule:

--
Sid:
1446

--
Summary:
This event is generated when an external attacker uses the "vrfy root"
command to find the login name or mail alias of the system
administrator. This may also indicate a vulnerability scan.

--
Impact:
Information gathering. 

--
Detailed Information:
An attacker may be able to obtain the email alias or actual email
address of root users. This allows the attacker to know which email
accounts may be more valuable to target, and can be used by spammers or
as targets for denial of service attempts.

--
Affected Systems:
Systems running Sendmail.

--
Attack Scenarios:
An attacker uses vrfy root to obtain the name of administrators on the
server. The attacker now knows which accounts have administrative
access, and may use this information to focus later attacks.

--
Ease of Attack:
Simple.

--
False Positives:
None known.

--
False Negatives:
None known.

--
Corrective Action:
Disable the vrfy command on your mail server, or update your Sendmail
configuration file so that Sendmail displays non-sensitive information
when it receives a vrfy root request.

--
Contributors:
Original rule written by Brian Caswell <bmc@sourcefire.com>
Sourcefire Research Team
Sourcefire Technical Publications Team
Jen Harvey <jennifer.harvey@sourcefire.com>

--
Additional References:

RFC 821:
http://www.faqs.org/rfcs/rfc821.html

Security Space:
http://www.securityspace.com/smysecure/catid.html?viewsrc=1&id=10249

--