[Snort-sigs] Problems with SID 498: ATTACK RESPONSES id check returned root
Kenneth G. Arnold
bkarnold at ...1280...
Fri Apr 11 10:19:13 EDT 2003
If these System Managers were using secure shell, snort wouldn't see this
signature and fire an alert. Evidently these System Managers are using
telnet sessions and entering the root password in clear text when they
login or change to root. If so, that sounds like a situation that needs
At 12:45 PM 4/11/03 -0400, Sam Evans wrote:
>No, but in a large environment such as ours, there are groups who are
>designated as System Mangers, who do have root access. This rule fires
>anytime someone uses the id, or some other utility that prints out their
>current privilege status.
More information about the Snort-sigs