Rule: -- Sid: 1956 -- Summary: This event is generated when a request is made to discover the version and configuration information associated with the Remote Procedure Call (RPC) amd. -- Impact: Information disclosure. This request can allow an attacker to discover the version of amd running as well as other configuration information about the host. -- Detailed Information: The amd RPC service implements the automounter daemon on UNIX hosts. The amd service automatically mounts and unmounts requested file systems. An attacker can make a request to amd to discover its version number. A successful request will return the version number along with other valuable configuration information about the server, including the architecture. -- Affected Systems: Any system running amd. -- Attack Scenarios: An attacker may request the version number associated with amd. The response may give an attacker valuable configuration information about the host. -- Ease of Attack: Simple. Execute the command 'amq -v -U -h hostname/IP' - False Positives: None Known. -- False Negatives: None Known. -- Corrective Action: Limit remote access to RPC services. Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. Disable unneeded RPC services. -- Contributors: Original rule written by Brian Caswell <bmc@sourcefire.com> Sourcefire Research Team Judy Novak <judy.novak@sourcefire.com> -- Additional References: --