[Snort-sigs] Problems with SID 498: ATTACK RESPONSES id check returned root

Sam Evans sam at ...219...
Fri Apr 11 12:28:07 EDT 2003


Absolutely.  This is getting quite a bit off topic, but, in a perfect
world everyone would be using SSH, however, we all know the world's not
perfect and as such, we have to make do with what we have.

On Fri, 11 Apr 2003, Kenneth G. Arnold wrote:

> If these System Managers were using secure shell, snort wouldn't see this
> signature and fire an alert.  Evidently these System Managers are using
> telnet sessions and entering the root password in clear text when they
> login or change to root. If so, that sounds like a situation that needs
> attention.
>
> Ken
>
>
> At 12:45 PM 4/11/03 -0400, Sam Evans wrote:
> >No, but in a large environment such as ours, there are groups who are
> >designated as System Mangers, who do have root access.  This rule fires
> >anytime someone uses the id, or some other utility that prints out their
> >current privilege status.
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger
> for complex code. Debugging C/C++ programs can leave you feeling lost and
> disoriented. TotalView can help you find your way. Available on major UNIX
> and Linux platforms. Try it free. www.etnus.com
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>




More information about the Snort-sigs mailing list