[Snort-sigs] ID Check returned X signatures

Russell Fulton r.fulton at ...575...
Wed Jan 8 17:04:15 EST 2003

On Thu, 2003-01-09 at 09:22, Mathew Johnston wrote:
> What is the premise for the ID check returned root/www/nobody, etc
> signatures? None of these signatures have references.

These signatures are useful in conjunction with other attack signatures
and are an indication that the attack succeeded.

e.g. I see lots of rpc exploit attempts against our exposed UNIX
system.  Since these machines are well administered I generally ignore
the rpc attacks as general noise.  If however I saw an rpc (or any
other) attack associated with an ID check signature then I reach for the

These are best described as attack response signature and are most
useful when they occur with other signatures.

This is the same as the windows "returned directory". I see 1000s (our
record is now 145,000 in 50 minutes from one source) of generic IIS
exploits, it is quite impossible to follow them all up. If a machine
responds with a directory listing then this is certainly worth
investigating if it is associated with other attacks.

Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand

"It aint necessarily so"  - Gershwin

More information about the Snort-sigs mailing list