[Snort-users] ATTACK RESPONSES id check returned root

McCammon, Keith Keith.McCammon at ...3497...
Tue Oct 8 07:36:06 EDT 2002

Any payload that contains the string "uid=0(root)" will cause this to fire.  Most of the times that I've caught it, it's been because someone visited a web site with some type of UNIX tutorial, handbook, etc.  That's generally the first thing that you want to look for.  

> -----Original Message-----
> From: Dallas Jordan [mailto:DJordan at ...7041...]
> Sent: Tuesday, October 08, 2002 10:11 AM
> To: 'Snort-Users (E-mail)
> Subject: [Snort-users] ATTACK RESPONSES id check returned root
> Does anyone know what could possibly set this alert off?  I 
> have checked
> Google and didn't come up with anything specific.  I have 
> gotten a couple of
> these this morning and was just wondering what I should be on 
> the lookout
> for.  Thanks for any suggestions. 
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

More information about the Snort-users mailing list