[Snort-users] Rules question

Matt Kettler mkettler at ...4108...
Thu Feb 14 09:21:14 EST 2002

I would not jump to the conclusion that it is likely someone running an ID 
check that cause this. It should be investigated, but looking at the rule 
it is going to be very prone to false alerts.

Look at the rule:

attack-responses.rules:alert tcp any any -> any any (msg:"ATTACK RESPONSES 
id check
returned root"; flags:A+; content: "uid=0***(root)"; classtype:bad-unknown; 
sid:498; re

(I inserted *** in the content section, otherwise this very email will set 
off the rule)

So any TCP connection, in any direction, which is connected and has that 
text string in it will trigger.

So text downloading the rules file in uncompressed form will trigger it.
Emails quoting the rule will trigger it (unless modified like this one)
Some OS install/setup/security discussions on websites, email and news will 
set it off..

Try doing a google on the text string (minus the ***'s) , see just how many 
websites and news posts out there contain that string..
(I got aprox 4,430 website hits and 1,340 usenet news hits for that 
search). Be aware that the search itself will set the rule off as well. I 
triggered the rule 4 times doing the search and looking at one of the websites.

I'd look closely at what triggered the alert, if it looks like the machine 
on your end is not a *nix box, the outside end is almost certainly a  news, 
web or mailserver and the alert is a false one. If the machine on your end 
is a *nix box, I'd check to see if it was knocked over, but be aware that 
it may be a false alarm.

The rule is attempting to catch the output of someone running the *nix "id" 
command and got back a result indicating they are the root user.

Sample output for a non-root user (I've modified the numbers/usernames a 
bit, but the output format is valid):

bash$ id
uid=2105(m_kettler) gid=2105 groups=2105

At 10:21 AM 2/14/2002 +0100, Poppi, Sandro wrote:
>Seems that someone did the command id which results that she/he has uid 0
>which in turn is root. I would strongly suggest investigating this incident
> > -----Ursprüngliche Nachricht-----
> > Von: Bastian Ballmann [mailto:ballmann at ...3190...]
> > Gesendet: Donnerstag, 14. Februar 2002 10:08
> > An: snort-users at lists.sourceforge.net
> > Betreff: [Snort-users] Rules question
> >
> >
> > Hi @ll!!! =)
> > Could anyone explain to me what this log entry should tell me?
> >
> > "ATTACK RESPONSES id check returned root [Classification:
> > Potentially Bad
> > Traffic   Priority: 2]"
> >
> > Thanks in advance!
> > Greets
> >
> > Bastian Ballmann
> > --

More information about the Snort-users mailing list