[Snort-users] id check returned root ?!?!
erek at ...950...
Sat Jun 28 12:30:05 EDT 2003
On Sat, 28 Jun 2003, Michael D. Schleif wrote:
> I am fairly new to snort, and I've just begun analyzing my logs.
> I have my home office network, from which I am writing this post, that
> is NAT'ed behind an ipchains firewall. This system is: 192.168.123.150
> I also have a web/email server hosted by tera-byte.com: 126.96.36.199
> Last week I received several of these:
> 4 188.8.131.52 192.168.123.150 ATTACK RESPONSES id check returned root
> Now, I have come to realize that this is a dangerous situation.
> I run chkrootkit daily and have _nothing_ to report.
> What should I do?
Look at the packet not the alert. From an alert you really can't tell
what happened, only that something did.
If you're logging to binary (pcap) to get the packet it's as simple as:
snort -dvr <pcap_filename> 'host 184.108.40.206' |less
And that will show you all the packets that it could have been.
Now the fun part: Figuring out what went on. :) You may find out that
this is a normal packet from a webmail application or somehting of the
If you're not logging to binary, well... Either start and look at the
packets or 'hope'. :)
"When things get weird, the weird turn pro." H.S. Thompson
More information about the Snort-users