[Snort-sigs] Problems with SID 498: ATTACK RESPONSES id check returned root
cmg at ...435...
Fri Apr 11 11:45:03 EDT 2003
Sam Evans <sam at ...219...> writes:
> We have been experiencing quite a few false positives with this particular
> rule. Things like support pages that contain the content trigger will
> fire this rule off as well as support emails.
> I'd like to purpose the following change to the signature:
> alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"ATTACK RESPONSES id
> check returned root"; content: "uid=0(root)"; classtyp
> e:bad-unknown; sid:498; rev:3;)
> What this would do is trigger the alert anytime someone from the OUTSIDE
> received the phrase uid=0(root) that was source from a server on your home
> net. Thus indicating that someone on the outside has root privs. on a box
> in your network.
I'd agree. The time this comes in handy however is when someone
compromises a local machine and then starts rooting external
machines. I used to run a lot of outgoing type rules to catch this
type of traffic when I did deployments.
Has this rule ever helped anyone out being defined like it is in
catching a machine rooting external entities?
Chris Green <cmg at ...435...>
To err is human, to moo bovine.
More information about the Snort-sigs