[Snort-sigs] Problems with SID 498: ATTACK RESPONSES id check returned root

Kenneth G. Arnold bkarnold at ...1280...
Fri Apr 11 10:19:13 EDT 2003

If these System Managers were using secure shell, snort wouldn't see this 
signature and fire an alert.  Evidently these System Managers are using 
telnet sessions and entering the root password in clear text when they 
login or change to root. If so, that sounds like a situation that needs 


At 12:45 PM 4/11/03 -0400, Sam Evans wrote:
>No, but in a large environment such as ours, there are groups who are
>designated as System Mangers, who do have root access.  This rule fires
>anytime someone uses the id, or some other utility that prints out their
>current privilege status.

More information about the Snort-sigs mailing list