[Snort-sigs] Problems with SID 498: ATTACK RESPONSES id check returned root

Esler, Joel Contractor EslerJ at ...785...
Fri Apr 11 08:33:12 EDT 2003


Problem is that any traffic with this in it....  Including this email
because it contains the string, will trigger this event....

-----Original Message-----
From: Kenneth G. Arnold [mailto:bkarnold at ...1280...]
Sent: Friday, April 11, 2003 10:42 AM
To: Sam Evans; snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] Problems with SID 498: ATTACK RESPONSES id
check returned root


So your aren't worried that someone within your own network could have 
obtained root privileges?  That's fine if you control all the machines in 
your network but not too good if there are hundreds of machines in your 
network that you don't control.

I have taken the approach of writing a pass rule for the machines I control 
that generate this alert with normal activities.  Our network backup 
program generates a lot of these alerts as it communicates between the 
central tape server and the machines it is backing up.
Ken

At 10:14 AM 4/11/03 -0400, Sam Evans wrote:

>We have been experiencing quite a few false positives with this particular
>rule.  Things like support pages that contain the content trigger will
>fire this rule off as well as support emails.
>
>I'd like to purpose the following change to the signature:
>
>before:
>alert ip any any -> any any (msg:"ATTACK RESPONSES id
>check returned root"; content: "uid=0(root)"; classtyp
>e:bad-unknown; sid:498; rev:3;)
>
>after:
>alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"ATTACK RESPONSES id
>check returned root"; content: "uid=0(root)"; classtyp
>e:bad-unknown; sid:498; rev:3;)
>
>What this would do is trigger the alert anytime someone from the OUTSIDE
>received the phrase uid=0(root) that was source from a server on your home
>net.  Thus indicating that someone on the outside has root privs. on a box
>in your network.
>
>Thoughts?
>
>
>
>-------------------------------------------------------
>This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger
>for complex code. Debugging C/C++ programs can leave you feeling lost and
>disoriented. TotalView can help you find your way. Available on major UNIX
>and Linux platforms. Try it free. www.etnus.com
>_______________________________________________
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/snort-sigs



-------------------------------------------------------
This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger 
for complex code. Debugging C/C++ programs can leave you feeling lost and 
disoriented. TotalView can help you find your way. Available on major UNIX 
and Linux platforms. Try it free. www.etnus.com
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs




More information about the Snort-sigs mailing list