2009.txt

snort入侵检测规则文件2.4 Snort是众所周知的网络入侵检测工具

Rule:

--
Sid:
2009

--
Summary:
CVS is the Concurrent Versions System, commonly used to 
help manage software development.

--
Impact:
This may be an intelligence gathering activity or an attempt to connect 
to a CVS repository containing code not publicly available.

--
Detailed Information:
This rule detects attempts to connect to a CVS repository that fail due 
indicate determined activity by an attacker to gain unauthorized access 
to the CVS respository.

The source code of software in the repository may be compromised by a 
succesful attacker who could gain access to source code not intended for
public viewing.

For CVS daemons running under changed root conditions (chroot), the rest
of the operating system files may be protected.

--
Affected Systems:
	All versions of CVS
	
--
Attack Scenarios:
This may be an intelligence gathering activity or an attempt to log in 
to a CVS repository that is not intended to be publicly available.

--
Ease of Attack:
Simple.

--
False Positives:
It is possible that an authorized user may mis-type the repository name.

--
False Negatives:
Connections to the server using zlib compression will not generate this
event.

--
Corrective Action:
Disable the CVS daemon in the file /etc/inetd.conf. Run the CVS daemon 
as a user other than root that does not have a valid login to the 
machine.

Disable anonymous access to the cvs server where appropriate.

Maintain checks on the password database and the CVS repository logs.

--
Contributors:
Sourcefire Research Team
Brian Caswell <bmc@sourcefire.com>
Nigel Houghton <nigel.houghton@sourcefire.com>

--
Additional References:

CVS:
http://www.cvshome.org/docs/

--