[Snort-sigs] Problems with SID 498: ATTACK RESPONSES id check returned root

Russell Fulton r.fulton at ...575...
Fri Apr 11 14:29:06 EDT 2003


On Sat, 2003-04-12 at 06:42, Chris Green wrote:

> Has this rule ever helped anyone out being defined like it is in
> catching a machine rooting external entities?

No, I have not had it triggered in that context but given we are a large
open site I certainly am on the lookout for that.  I find this rule most
useful when it triggers in with other exploit based rules.  i.e. is see
portmdapper request, statdx exploit *and* out going uid(0) and I reach
for the phone  ;-)

Yes I see quite a few false +ves, mainly in email and web traffic but I
normally ignore these unless there are other signs of trouble or reasons
for suspicion.

-- 
Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand

"It aint necessarily so"  - Gershwin





More information about the Snort-sigs mailing list