[Snort-sigs] Problems with SID 498: ATTACK RESPONSES id check returned root

Kenneth G. Arnold bkarnold at ...1280...
Fri Apr 11 07:43:08 EDT 2003

So your aren't worried that someone within your own network could have 
obtained root privileges?  That's fine if you control all the machines in 
your network but not too good if there are hundreds of machines in your 
network that you don't control.

I have taken the approach of writing a pass rule for the machines I control 
that generate this alert with normal activities.  Our network backup 
program generates a lot of these alerts as it communicates between the 
central tape server and the machines it is backing up.

At 10:14 AM 4/11/03 -0400, Sam Evans wrote:

>We have been experiencing quite a few false positives with this particular
>rule.  Things like support pages that contain the content trigger will
>fire this rule off as well as support emails.
>I'd like to purpose the following change to the signature:
>alert ip any any -> any any (msg:"ATTACK RESPONSES id
>check returned root"; content: "uid=0(root)"; classtyp
>e:bad-unknown; sid:498; rev:3;)
>alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"ATTACK RESPONSES id
>check returned root"; content: "uid=0(root)"; classtyp
>e:bad-unknown; sid:498; rev:3;)
>What this would do is trigger the alert anytime someone from the OUTSIDE
>received the phrase uid=0(root) that was source from a server on your home
>net.  Thus indicating that someone on the outside has root privs. on a box
>in your network.
>This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger
>for complex code. Debugging C/C++ programs can leave you feeling lost and
>disoriented. TotalView can help you find your way. Available on major UNIX
>and Linux platforms. Try it free. www.etnus.com
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net

More information about the Snort-sigs mailing list