[Snort-sigs] Problems with SID 498: ATTACK RESPONSES id check returned root

Sam Evans sam at ...219...
Fri Apr 11 09:19:06 EDT 2003

Well, the argument then becomes a policy one.  The problem we face is that
there are thousands of machines that are managed by several different
groups.  To have the rule fire when someone types 'id' from an internal
network is pointless.  We'd spend all of our day chasing around legitimate

On Fri, 11 Apr 2003, Kenneth G. Arnold wrote:

> So your aren't worried that someone within your own network could have
> obtained root privileges?  That's fine if you control all the machines in
> your network but not too good if there are hundreds of machines in your
> network that you don't control.
> I have taken the approach of writing a pass rule for the machines I control
> that generate this alert with normal activities.  Our network backup
> program generates a lot of these alerts as it communicates between the
> central tape server and the machines it is backing up.
> Ken
> At 10:14 AM 4/11/03 -0400, Sam Evans wrote:
> >We have been experiencing quite a few false positives with this particular
> >rule.  Things like support pages that contain the content trigger will
> >fire this rule off as well as support emails.
> >
> >I'd like to purpose the following change to the signature:
> >
> >before:
> >alert ip any any -> any any (msg:"ATTACK RESPONSES id
> >check returned root"; content: "uid=0(root)"; classtyp
> >e:bad-unknown; sid:498; rev:3;)
> >
> >after:
> >alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"ATTACK RESPONSES id
> >check returned root"; content: "uid=0(root)"; classtyp
> >e:bad-unknown; sid:498; rev:3;)
> >
> >What this would do is trigger the alert anytime someone from the OUTSIDE
> >received the phrase uid=0(root) that was source from a server on your home
> >net.  Thus indicating that someone on the outside has root privs. on a box
> >in your network.
> >
> >Thoughts?
> >
> >
> >
> >-------------------------------------------------------
> >This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger
> >for complex code. Debugging C/C++ programs can leave you feeling lost and
> >disoriented. TotalView can help you find your way. Available on major UNIX
> >and Linux platforms. Try it free. www.etnus.com
> >_______________________________________________
> >Snort-sigs mailing list
> >Snort-sigs at lists.sourceforge.net
> >https://lists.sourceforge.net/lists/listinfo/snort-sigs

More information about the Snort-sigs mailing list