[Snort-sigs] ATTACK RESPONSES id check returned root (sid:498)

Jon warchild at ...288...
Thu Jan 23 06:33:02 EST 2003


On Thu, Jan 23, 2003 at 02:19:35PM +0100, m at ...1214... wrote:

> Dear all, 
>  
> Is there any good reason to have the sid:498 rule:
>  
> alert ip any any -> any any (msg:"ATTACK RESPONSES id check returned root";
> content: "uid=0(root)"; classtype:bad-unknown; sid:498; rev:3;)
>  
> instead of 
>  
> alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"ATTACK RESPONSES id check
> returned root"; content: "uid=0(root)"; classtype:bad-unknown; sid:498;
> rev:3;)
>  
> I Know it's a very minor question, don't get annoyed
>  
> Max 

I like a rule like this because it allows you to catch suspicious traffic
both coming from and going to your network.  Well, actually thats only
partially true.  Depending on your setup, rule 498 in its current form will
alert on *any* traffic that it sees because it does not specify the source
and destination networks.  Like if you had a tap on your network's main pipe
for inbound and outbound traffic but your $HOME_NET was set to something
that would just look for traffic relating to a specific subnet that this
sensor watches, say 192.168.0.0/24.  

Depending on what type of network you are watching, rule 498 may be too
broad.  However, the change you are asking about may actually be too
restrictive.  Something like "$HOME_NET any <-> any any" might be better
because it'll catch any suspicous traffic that involves your host as the
source or destination.

Good point, though.

-jon




More information about the Snort-sigs mailing list