[Snort-sigs] Problems with SID 498: ATTACK RESPONSES id check returned root

Chris Green cmg at ...435...
Fri Apr 11 11:45:03 EDT 2003

Sam Evans <sam at ...219...> writes:

> We have been experiencing quite a few false positives with this particular
> rule.  Things like support pages that contain the content trigger will
> fire this rule off as well as support emails.
> I'd like to purpose the following change to the signature:

> after:
> alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"ATTACK RESPONSES id
> check returned root"; content: "uid=0(root)"; classtyp
> e:bad-unknown; sid:498; rev:3;)
> What this would do is trigger the alert anytime someone from the OUTSIDE
> received the phrase uid=0(root) that was source from a server on your home
> net.  Thus indicating that someone on the outside has root privs. on a box
> in your network.
> Thoughts?

I'd agree.  The time this comes in handy however is when someone
compromises a local machine and then starts rooting external
machines. I used to run a lot of outgoing type rules to catch this
type of traffic when I did deployments.

Has this rule ever helped anyone out being defined like it is in
catching a machine rooting external entities?
Chris Green <cmg at ...435...>
To err is human, to moo bovine.

More information about the Snort-sigs mailing list