[Snort-users] ATTACK-RESPONSES id check returned userid

Charles Douvier charles at ...9394...
Fri Jun 6 07:38:10 EDT 2003

Has anyone ever had a lot of "ATTACK-RESPONSES id check returned userid"
events? Sometimes I get 0 for a day sometimes it's 400 in a couple hours. I
don't know why I get so many but it seems like every so often when someone
hits up AOLwebmail (I know.. *shudder*) or just from general surfing
occasionally. It'll come from an internal computer on <insert port here> to
a <insert server here> port 80.. it looks all legitimate but I couldn't find
on google or searching the archives with anyone that this happens to.

We run a masquerade rh7.3 machine for our firewall and zone alarm on all the
machines which are mostly Windows XP Workstations.. the Redhat 7.3 machine
runs snort w/ ACID, some webmail, two eggdrops and some stats stuff..I don't
know what could be causing it. I really doubt I have had an intrusion of any
kind, I have gone over just about everything in that machine...

Anyone have any ideas/similar problems?

Also, we are making an admin-notify script for snort using mysql.. its a
basic script that just uses qmail to send an email when there are more than
<X> # of events. We are using it to txt message a cell phone. Its nothing
special but if you want it email me directly - should be done Monday..

Thank you,


More information about the Snort-users mailing list