[Snort-users] id check returned root ?!?!

MH procana at ...4296...
Sat Jun 28 09:35:03 EDT 2003

Hi Michael,

If you were on a security related site, this is fairly common.  If I go to 
zone-h or some other defacement mirror where part of a defacement has 
"uid=0(root)", this alarm will fire.  Look at your logs for this alert and 
determine if this is the case.

Hope this helps.

On Saturday 28 June 2003 11:20 am, Michael D. Schleif wrote:
> I am fairly new to snort, and I've just begun analyzing my logs.
> I have my home office network, from which I am writing this post, that
> is NAT'ed behind an ipchains firewall.  This system is:
> I also have a web/email server hosted by tera-byte.com:
> Last week I received several of these:
> 4  ATTACK RESPONSES id check returned
> root
> Now, I have come to realize that this is a dangerous situation.
> I run chkrootkit daily and have _nothing_ to report.
> What should I do?

More information about the Snort-users mailing list