[Snort-users] id check returned root ?!?!

Erek Adams erek at ...950...
Sat Jun 28 12:30:05 EDT 2003


On Sat, 28 Jun 2003, Michael D. Schleif wrote:

> I am fairly new to snort, and I've just begun analyzing my logs.
>
> I have my home office network, from which I am writing this post, that
> is NAT'ed behind an ipchains firewall.  This system is: 192.168.123.150
>
> I also have a web/email server hosted by tera-byte.com: 216.234.189.108
>
> Last week I received several of these:
>
> 4  216.234.189.108  192.168.123.150  ATTACK RESPONSES id check returned root
>
>
> Now, I have come to realize that this is a dangerous situation.
>
> I run chkrootkit daily and have _nothing_ to report.
>
> What should I do?

Look at the packet not the alert.  From an alert you really can't tell
what happened, only that something did.

If you're logging to binary (pcap) to get the packet it's as simple as:

	snort -dvr <pcap_filename> 'host 216.234.189.108' |less

And that will show you all the packets that it could have been.

Now the fun part:  Figuring out what went on.  :)  You may find out that
this is a normal packet from a webmail application or somehting of the
sort.

If you're not logging to binary, well...  Either start and look at the
packets or 'hope'.  :)

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson




More information about the Snort-users mailing list