[Snort-users] id check returned root ?!?!

Nicholas Delo ndelo at ...9245...
Sat Jun 28 09:41:16 EDT 2003


Check the packet contents to make sure that it is not a false positive.
Email from the snort-users and snort-sigs mailing lists always triggers
this alert on my IDS. Check the source and dest ports, it may be something
like source port 110 (if you are using pop3) on your mail server to an
unprivladged port on your mail client.

> I am fairly new to snort, and I've just begun analyzing my logs.
>
> I have my home office network, from which I am writing this post, that
> is NAT'ed behind an ipchains firewall.  This system is: 192.168.123.150
>
> I also have a web/email server hosted by tera-byte.com: 216.234.189.108
>
> Last week I received several of these:
>
> 4  216.234.189.108  192.168.123.150  ATTACK RESPONSES id check returned
> root
>
>
> Now, I have come to realize that this is a dangerous situation.
>
> I run chkrootkit daily and have _nothing_ to report.
>
> What should I do?
>
> --
> Best Regards,
>
> mds
> mds resource
> 877.596.8237
> -
> Dare to fix things before they break . . .
> -
> Our capacity for understanding is inversely proportional to how much we
> think we know.  The more I know, the more I know I don't know . . . --







More information about the Snort-users mailing list