[Snort-sigs] Problems with SID 498: ATTACK RESPONSES id check returned root

Russell Fulton r.fulton at ...575...
Fri Apr 11 14:29:06 EDT 2003

On Sat, 2003-04-12 at 06:42, Chris Green wrote:

> Has this rule ever helped anyone out being defined like it is in
> catching a machine rooting external entities?

No, I have not had it triggered in that context but given we are a large
open site I certainly am on the lookout for that.  I find this rule most
useful when it triggers in with other exploit based rules.  i.e. is see
portmdapper request, statdx exploit *and* out going uid(0) and I reach
for the phone  ;-)

Yes I see quite a few false +ves, mainly in email and web traffic but I
normally ignore these unless there are other signs of trouble or reasons
for suspicion.

Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand

"It aint necessarily so"  - Gershwin

More information about the Snort-sigs mailing list