Rule:--Sid:2009--Summary:CVS is the Concurrent Versions System, commonly used to help manage software development.--Impact:This may be an intelligence gathering activity or an attempt to connect to a CVS repository containing code not publicly available.--Detailed Information:This rule detects attempts to connect to a CVS repository that fail due indicate determined activity by an attacker to gain unauthorized access to the CVS respository.The source code of software in the repository may be compromised by a succesful attacker who could gain access to source code not intended forpublic viewing.For CVS daemons running under changed root conditions (chroot), the restof the operating system files may be protected.--Affected Systems:	All versions of CVS	--Attack Scenarios:This may be an intelligence gathering activity or an attempt to log in to a CVS repository that is not intended to be publicly available.--Ease of Attack:Simple.--False Positives:It is possible that an authorized user may mis-type the repository name.--False Negatives:Connections to the server using zlib compression will not generate thisevent.--Corrective Action:Disable the CVS daemon in the file /etc/inetd.conf. Run the CVS daemon as a user other than root that does not have a valid login to the machine.Disable anonymous access to the cvs server where appropriate.Maintain checks on the password database and the CVS repository logs.--Contributors:Sourcefire Research TeamBrian Caswell <bmc@sourcefire.com>Nigel Houghton <nigel.houghton@sourcefire.com>--Additional References:CVS:http://www.cvshome.org/docs/--