[Snort-sigs] ID Check returned X signatures
Anton A. Chuvakin
anton at ...1177...
Wed Jan 8 12:57:04 EST 2003
>What is the premise for the ID check returned root/www/nobody, etc
>signatures? None of these signatures have references.
They mean that (for example) the response to a UNIX "id" command was seen
within the session (say, within HTTP session). It indicates that somebody
(or something - such as a worm) got a shell and it trying to figure out
which user it runs as.
E.g. from our recent capture of SSL worm which ran an "id" command upon
compromising the Linux RedHat honeypot:
"uid=48(apache) gid=48(apache) groups=48(apache)"
I am about to write full descriptions for them and submit them to this
list (hopefully for inclusion in snort distro). Hang on for a couple of
Anton A. Chuvakin, Ph.D., GCIA
More information about the Snort-sigs