finger
AnalyzerThe finger
analyzer processes traffic associated with
the Finger service RFC-1288. Bro instantiates a finger
analyzer for any connection with service port 79/tcp
(if you
@load
the finger analyzer in your script, or define your own
finger_request
or finger_reply
handlers, of course).
The analyzer uses a capture filter of “port finger
”
(See: Filtering).
In the past, attackers often used Finger requests to obtain information about a site's users, and sometimes to launch attacks of various forms (buffer overflows, in particular). In our experience, exploitation of the service has greatly diminished over the past years (no doubt in part to the service being increasingly turned off, or prohibited by firewalls). Now it is only rarely associated with an attack.