[Snort-users] RE: ATTACK-RESPONSES id check returned userid

Hudak, Tyler Tyler.Hudak at ...9167...
Tue Jun 17 07:49:16 EDT 2003


You get this alert because on the website is the string "uid=x gid=y", where
x and y are numbers less than 65537.  This usually occurs on a UNIX system
when someone runs the "id" command.

I surfed that site for a while and didn't generate an alert for that
signature.  Is there a specific URL on the site that does it?

Tyler

--------------

Date: Tue, 17 Jun 2003 11:34:50 +0200
From: Roelf Schreurs <rosc at ...9480...>
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] ATTACK-RESPONSES id check returned userid

Hi

When we connect to one specific website, www.marca.com, I get a lot of
alerts.
The source adress is my NAT'ed address and the destination is the IP of
this website.

Can somebody please explain why I get this as an alert.

Thanks

ID 		= #0-(1-355)
SIGNATURE 	= ATTACK-RESPONSES id check returned userid    	
TIMESTAMP	= 2003-06-17 09:30:34
SOURCE IP	= $MY_NAT_IP:57967     	
DEST IP		= 212.80.128.10:80
LAYER 4 PROTO	= TCP


-- 
Roelf

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030617/1b111673/attachment.html>


More information about the Snort-users mailing list