[Snort-sigs] Problems with SID 498: ATTACK RESPONSES id check returned root

Sam Evans sam at ...219...
Fri Apr 11 07:16:01 EDT 2003


We have been experiencing quite a few false positives with this particular
rule.  Things like support pages that contain the content trigger will
fire this rule off as well as support emails.

I'd like to purpose the following change to the signature:

before:
alert ip any any -> any any (msg:"ATTACK RESPONSES id
check returned root"; content: "uid=0(root)"; classtyp
e:bad-unknown; sid:498; rev:3;)

after:
alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"ATTACK RESPONSES id
check returned root"; content: "uid=0(root)"; classtyp
e:bad-unknown; sid:498; rev:3;)

What this would do is trigger the alert anytime someone from the OUTSIDE
received the phrase uid=0(root) that was source from a server on your home
net.  Thus indicating that someone on the outside has root privs. on a box
in your network.

Thoughts?





More information about the Snort-sigs mailing list