[Snort-users] ATTACK RESPONSES id check returned root

Semerjian, Ohanes Semerjian.Ohanes at ...4899...
Tue Oct 8 16:50:02 EDT 2002


the signature for that alert is defined in ur rules and u don't need to go
to google to find out, just edit the rule files.
============================================================================
===============================================
alert tcp any any -> any any (msg:"ATTACK RESPONSES id check returned root";
flags:A+; content: "uid=0(root)"; classtype:bad-unknown
; sid:498; rev:2;)
============================================================================
================================================

this signature will fire if someone use a root as it check the payload for
word " root " account from anywhere to anywhere and that the packet has the
ACK flag set. U could fine tune the signature to meet ur requirement and ur
interest.

Best Regards

Ohanes Semerjian

PGP kEY 
6604 2A46 E64F BEBF A4B7  9D01 9E08 399C 9D45 3254


-----Original Message-----
From: Metz, Tim [mailto:TMetz at ...4410...]
Sent: Wednesday, 9 October 2002 3:49
To: 'Dallas Jordan '; ''Snort-Users (E-mail) '
Subject: RE: [Snort-users] ATTACK RESPONSES id check returned root


This also fires when Demarc (Puresecure) transfers rules to remote sensors.

Tim

-----Original Message-----
From: Dallas Jordan
To: 'Snort-Users (E-mail)
Sent: 10/8/02 10:10 AM
Subject: [Snort-users] ATTACK RESPONSES id check returned root

Does anyone know what could possibly set this alert off?  I have checked
Google and didn't come up with anything specific.  I have gotten a
couple of
these this morning and was just wondering what I should be on the
lookout
for.  Thanks for any suggestions. 


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list