[Snort-users] id check returned root ?!?!
Michael D. Schleif
mds at ...9577...
Sat Jun 28 10:32:16 EDT 2003
Also sprach Nicholas Delo (Sat 28 Jun 02003 at 12:58:26PM -0400):
> Check the packet contents to make sure that it is not a false positive.
> Email from the snort-users and snort-sigs mailing lists always triggers
> this alert on my IDS. Check the source and dest ports, it may be something
> like source port 110 (if you are using pop3) on your mail server to an
> unprivladged port on your mail client.
> > I am fairly new to snort, and I've just begun analyzing my logs.
> > I have my home office network, from which I am writing this post, that
> > is NAT'ed behind an ipchains firewall. This system is: 192.168.123.150
> > I also have a web/email server hosted by tera-byte.com: 184.108.40.206
> > Last week I received several of these:
> > 4 220.127.116.11 192.168.123.150 ATTACK RESPONSES id check returned
> > root
> > Now, I have come to realize that this is a dangerous situation.
> > I run chkrootkit daily and have _nothing_ to report.
> > What should I do?
> > --
> > Best Regards,
> > mds
Is it safe to *assume* that if my box is _not_ the destination `to',
then I am *NOT* under attack?
In other words, if my box is compromised, won't _it_ be sending id=root
to the remote boxen?
What do you think?
Dare to fix things before they break . . .
Our capacity for understanding is inversely proportional to how much
we think we know. The more I know, the more I know I don't know . . .
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: not available
More information about the Snort-users