[Snort-sigs] False Positive - ATTACK-RESPONSES id check returned userid

Gary Verhulp gary.verhulp at ...2645...
Tue Jul 20 05:55:26 EDT 2004


I hope I'm sending this to the correct place and this is something that is
useful. If not please advise.

This alert was generated by a Legato server talking to a freeBSD client.
As you can see the rule properly detected the id command, but this is legit
traffic.

000 : 6C 69 65 6E 74 20 74 6F 20 61 74 74 61 63 6B 2E   lient to attack.
010 : 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
020 : 00 00 00 01 03 17 58 03 00 00 00 00 00 00 00 00   ......X.........
030 : 36 1F 5D 5C 00 00 00 00 00 00 00 00 00 00 00 00   6.]\............
040 : 40 F7 7B F1 00 00 00 01 00 00 00 21 2F 75 73 72   @.{........!/usr
050 : 2F 70 6F 72 74 73 2F 66 74 70 2F 76 73 66 74 70   /ports/ftp/vsftp
060 : 64 2F 70 6B 67 2D 69 6E 73 74 61 6C 6C 00 00 00   d/pkg-install...
070 : 00 00 00 08 00 02 74 06 00 1D 50 A4 00 00 00 00   ......t...P.....
080 : 92 05 18 04 00 00 00 38 80 00 00 01 00 00 81 ED   .......8........
090 : 00 00 00 01 00 00 00 00 00 00 00 00 00 00 02 FA   ................
0a0 : 00 77 BF AA 00 00 00 04 00 02 74 06 00 1D 50 A4   .w........t...P.
0b0 : 40 E9 B8 1A 3F DD B1 A9 3F DD B1 A9 00 00 00 00   @...?...?.......
0c0 : 00 00 01 00 00 00 02 FE 00 00 00 00 23 21 2F 62   ............#!/b
0d0 : 69 6E 2F 73 68 0A 23 20 24 46 72 65 65 42 53 44   in/sh.# $FreeBSD
0e0 : 3A 20 70 6F 72 74 73 2F 66 74 70 2F 76 73 66 74   : ports/ftp/vsft
0f0 : 70 64 2F 70 6B 67 2D 69 6E 73 74 61 6C 6C 2C 76   pd/pkg-install,v
100 : 20 31 2E 34 20 32 30 30 33 2F 31 32 2F 31 32 20    1.4 2003/12/12
110 : 31 39 3A 31 37 3A 31 37 20 64 69 6E 6F 65 78 20   19:17:17 dinoex
120 : 45 78 70 20 24 0A 23 0A 0A 69 66 20 5B 20 22 24   Exp $.#..if [ "$
130 : 32 22 20 21 3D 20 22 50 52 45 2D 49 4E 53 54 41   2" != "PRE-INSTA
140 : 4C 4C 22 20 5D 3B 20 74 68 65 6E 0A 20 20 20 20   LL" ]; then.
150 : 65 78 69 74 20 30 0A 66 69 0A 0A 69 66 20 21 20   exit 0.fi..if !
160 : 70 77 20 67 72 6F 75 70 73 68 6F 77 20 6F 70 65   pw groupshow ope
170 : 72 61 74 6F 72 20 3E 2F 64 65 76 2F 6E 75 6C 6C   rator >/dev/null
180 : 3B 20 74 68 65 6E 0A 09 69 66 20 70 77 20 67 72   ; then..if pw gr
190 : 6F 75 70 61 64 64 20 6F 70 65 72 61 74 6F 72 20   oupadd operator
1a0 : 35 3B 20 74 68 65 6E 0A 09 09 65 63 68 6F 20 22   5; then...echo "
1b0 : 41 64 64 65 64 20 67 72 6F 75 70 20 6F 70 65 72   Added group oper
1c0 : 61 74 6F 72 20 66 6F 72 20 76 73 66 74 70 64 22   ator for vsftpd"
1d0 : 0A 09 65 6C 73 65 0A 09 09 65 63 68 6F 20 22 46   ..else...echo "F
1e0 : 61 69 6C 65 64 20 74 6F 20 61 64 64 20 67 72 6F   ailed to add gro
1f0 : 75 70 20 6F 70 65 72 61 74 6F 72 20 61 73 20 67   up operator as g
200 : 69 64 20 35 22 20 3E 26 32 0A 09 09 65 78 69 74   id 5" >&2...exit
210 : 20 31 0A 09 66 69 0A 66 69 0A 0A 69 66 20 21 20    1..fi.fi..if !
220 : 70 77 20 75 73 65 72 73 68 6F 77 20 66 74 70 20   pw usershow ftp
230 : 3E 2F 64 65 76 2F 6E 75 6C 6C 3B 20 74 68 65 6E   >/dev/null; then
240 : 0A 09 69 66 20 70 77 20 75 73 65 72 61 64 64 20   ..if pw useradd
250 : 66 74 70 20 2D 67 20 6F 70 65 72 61 74 6F 72 20   ftp -g operator
260 : 2D 75 20 31 34 20 2D 68 20 2D 20 2D 64 20 2F 76   -u 14 -h - -d /v
270 : 61 72 2F 66 74 70 20 2D 73 20 2F 6E 6F 6E 65 78   ar/ftp -s /nonex
280 : 69 73 74 65 6E 74 20 2D 63 20 22 41 6E 6E 6F 6E   istent -c "Annon
290 : 79 6D 75 73 20 46 74 70 22 3B 20 74 68 65 6E 0A   ymus Ftp"; then.
2a0 : 09 09 65 63 68 6F 20 22 41 64 64 65 64 20 75 73   ..echo "Added us
2b0 : 65 72 20 66 74 70 20 66 6F 72 20 76 73 66 74 70   er ftp for vsftp
2c0 : 64 22 0A 09 65 6C 73 65 0A 09 09 65 63 68 6F 20   d"..else...echo
2d0 : 22 46 61 69 6C 65 64 20 74 6F 20 61 64 64 20 75   "Failed to add u
2e0 : 73 65 72 20 66 74 70 20 61 73 20 67 69 64 20 31   ser ftp as gid 1
2f0 : 34 22 20 3E 26 32 0A 09 09 65 78 69 74 20 31 0A   4" >&2...exit 1.
300 : 09 66 69 0A 66 69 0A 0A 23 20 75 69 64 3D 31 34   .fi.fi..# uid=14
310 : 28 66 74 70 29 20 67 69 64 3D 35 28 6F 70 65 72   (ftp) gid=5(oper
320 : 61 74 6F 72 29 20 67 72 6F 75 70 73 3D 35 28 6F   ator) groups=5(o
330 : 70 65 72 61 74 6F 72 29 0A 76 69 65 77 3D 22 24   perator).view="$
340 : 28 69 64 20 66 74 70 29 22 0A 76 69 65 77 3D 22   (id ftp)".view="
350 : 24 7B 76 69 65 77 25 25 20 2A 7D 22 0A 69 66 20   ${view%% *}".if
360 : 74 65 73 74 20 22 24 7B 76 69 65 77 7D 22 20 3D   test "${view}" =
370 : 20 22 75 69 64 3D 31 34 28 66 74 70 29 22 3B 20    "uid=14(ftp)";
380 : 74 68 65 6E 0A 09 65 78 69 74 20 30 0A 66 69 0A   then..exit 0.fi.
390 : 0A 65 63 68 6F 20 22 55 73 65 72 20 66 74 70 20   .echo "User ftp
3a0 : 73 68 6F 75 6C 64 20 68 61 76 65 20 75 69 64 20   should have uid
3b0 : 31 34 22 3B 20 3E 26 32 0A 65 78 69 74 20 31 0A   14"; >&2.exit 1.
3c0 : 23 20 65 6F 66 0A 00 00 00 00 00 00 00 00 00 00   # eof...........
3d0 : 00 00 00 00 00 00 00 01 03 17 58 03 00 00 00 00   ..........X.....
3e0 : 00 00 00 00 36 1F 61 10 00 00 00 00 00 00 00 00   ....6.a.........
3f0 : 00 00 00 00 40 F7 7B F1 00 00 00 01 00 00 00 1F   .... at ...180...{.........
400 : 2F 75 73 72 2F 70 6F 72 74 73 2F 66 74 70 2F 76   /usr/ports/ftp/v
410 : 73 66 74 70 64 2F 70 6B 67 2D 70 6C 69 73 74 00   sftpd/pkg-plist.
420 : 00 00 00 08 00 02 74 06 00 1D 4A DF 00 00 00 00   ......t...J.....
430 : 92 05 18 04 00 00 00 38 80 00 00 01 00 00 81 A4   .......8........
440 : 00 00 00 01 00 00 00 00 00 00 00 00 00 00 08 EB   ................
450 : 00 77 B5 4C 00 00 00 08 00 02 74 06 00 1D 4A DF   .w.L......t...J.
460 : 40 EC F4 92 40 EB E7 85 40 EB E7 85 00 00 00 00   @... at ...253...@.......
470 : 00 00 08 F8 00 00 01 00 00 00 08 EF 00 00 00 00   ................
480 : 6C 69 62 65 78 65 63 2F 76 73 66 74 70 64 0A 40   libexec/vsftpd.@
490 : 65 78 65 63 20 6D 6B 64 69 72 20 2D 70 20 25 44   exec mkdir -p %D
4a0 : 2F 73 68 61 72 65 2F 76 73 66 74 70 64 2F 65 6D   /share/vsftpd/em
4b0 : 70 74 79 0A 40 75 6E 65 78 65 63 20 69 66 20 64   pty. at ...2646... if d
4c0 : 69 66 66 20 2D 71 20 25 44 2F 65 74 63 2F 76 73   iff -q %D/etc/vs
4d0 : 66 74 70 64 2E 63 6F 6E 66 20 25 44 2F 65 74 63   ftpd.conf %D/etc
4e0 : 2F 76 73 66 74 70 64 2E 63 6F 6E 66 2E 64 69 73   /vsftpd.conf.dis
4f0 : 74 3B 20 74 68 65 6E 20 72 6D 20 25 44 2F 65 74   t; then rm %D/et
500 : 63 2F 76 73 66 74 70 64 2E 63 6F 6E 66 3B 20 66   c/vsftpd.conf; f
510 : 69 0A 65 74 63 2F 76 73 66 74 70 64 2E 63 6F 6E   i.etc/vsftpd.con
520 : 66 2E 64 69 73 74 0A 40 65 78 65 63 20 69 66 20   f.dist. at ...2647... if
530 : 5B 20 21 20 2D 66 20 25 42 2F 76 73 66 74 70 64   [ ! -f %B/vsftpd
540 : 2E 63 6F 6E 66 20 5D 3B 20 74 68 65 6E 20 63 70   .conf ]; then cp
550 : 20 25 42 2F 76 73 66 74 70 64 2E 63 6F 6E 66 2E    %B/vsftpd.conf.
560 : 64 69 73 74 20 25 42 2F 76 73 66 74 70 64 2E 63   dist %B/vsftpd.c
570 : 6F 6E 66 3B 20 66 69 0A 40 65 78 65 63 20 69 66   onf; fi. at ...2647... if
580 : 20 5B 20 21 20 2D 64 20 2F 76 61 72 2F 66 74 70    [ ! -d /var/ftp
590 : 20 5D 3B 20 74 68 65 6E 20 6D 6B 64 69 72 20 2F    ]; then mkdir /
5a0 : 76 61 72 2F 66 74 70 20                           var/ftp

---------------------------------------
gary.verhulp at ...2645...
831 239 7898








More information about the Snort-sigs mailing list