Symantec™ Security Gateways Reference Guide - Sawmill

IDS eventsProbes355Finger ProbingBase Event:Details:Response:Affected:FINGER_SEARCH_REQUESTThis generally represents an attempt at information probing.If seen in sufficient volume or variation location and audit of client is recommended.No specific targets.False Positives: None known.References:CVE-1999-0612http://www.whitehats.com (arachNIDS #375)Finger SpecificationsFTP ProbingBase Event:Details:Response:Affected:FTPCLI_ADMHACK_SCANAn “adm hack” FTP scan was detected. This is likely an information gathering attempt.Location and audit of client is recommended.No specific targets.False Positives: None known.References: http://www.whitehats.com (arachNIDS #375)FTP SpecificationsFTP ProbingBase Event:Details:Response:Affected:FTPCLI_ISS_SCANAn FTP scan by ISS Internet Scanner was detected. ISS Scanner is a system administration toolintended to aid in diagnosing security risks. An attacker may use it to gather vulnerabilityinformation about your systems.Location and audit of client is recommended.No specific targets.False Positives: None known.References:FTP SpecificationsFTP ProbingBase Event:Details:Response:FTPCLI_RETR_PASSWDAn attempt to retrieve the password file was detected. The RETR command was issued with thestring “passwd” in the argument. This indicates someone attempting to use FTP to copy yourpassword file (usually for later cracking).Location and audit of client is recommended. If the FTP server logs indicate a successful transfer ofthe password file, presume it’s cracked. All users listed in that password file should immediatelychange their passwords.