[Snort-sigs] ID Check returned X signatures

Anton A. Chuvakin anton at ...1177...
Wed Jan 8 12:57:04 EST 2003


Mathew,

>What is the premise for the ID check returned root/www/nobody, etc
>signatures? None of these signatures have references.
They mean that (for example) the response to a UNIX "id" command was seen
within the session (say, within HTTP session). It indicates that somebody
(or something - such as a worm) got a shell and it trying to figure out
which user it runs as.

E.g. from our recent capture of SSL worm which ran an "id" command upon
compromising the Linux RedHat honeypot:

"uid=48(apache) gid=48(apache) groups=48(apache)"

I am about to write full descriptions for them and submit them to this
list (hopefully for inclusion in snort distro). Hang on for a couple of
days...

Best,
-- 
  Anton A. Chuvakin, Ph.D., GCIA
     http://www.chuvakin.org
   http://www.info-secure.org





More information about the Snort-sigs mailing list