[Snort-users] ATTACK-RESPONSES id check returned root

sam at ...5202... sam at ...5202...
Tue Dec 30 14:10:01 EST 2003


Ahh yes, the good ole' Attack Responses id check root.  I have never seen
an instance of this alert that was NOT a false positive.  And almost every
time ours would trigger, it would be SMTP based.

What happens, in our case, is that we have SysAdmins who are asked, on
occasion to email id outputs to support engineers on the other end.  This
triggers the above rule every single time.

You could tune the rule down to *not* look at port 25, but would get the
alert anytime went and visited a web site which contained the 'id' output
from a Unix page.

So, you could tune out port 25 and port 80, but anytime anyone uses Telnet
(god forbid), and runs the 'id' command, they are going to trigger the
alert.

See where I'm goin?  There's no real good way for this alert to work.

Hope this helps.

-Sam


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I just got this alert for our snort sensor.  I think that it's a false
> positive but am not sure how to check and want to see if anyone else has
> seen this.  Both the source and dest. are mail servers. The source is a
> from a list server that sends a good bit of emails to us and this is the
> first time that I have seen this alert.  The source IP is 131.193.178.160
> (stoneport.math.uic.edu - a.mx.cr.yp.to).  Any help would be greatly
> appreciated.
>
> Thanks,
>
> Chris Romano
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
>
> iQA/AwUBP/H03gvHK4/UMrUIEQIJCgCg9iVJSHV+lry98BnXLgnk+v8MT9wAnRbN
> Q3+JYVAeh7qpWDZQC2Ern1GO
> =eFFD
> -----END PGP SIGNATURE-----
>





More information about the Snort-users mailing list