Snort mailing list archives
Re: id check returned root ?!?!
From: "Nicholas Delo" <ndelo () limcollege edu>
Date: Sat, 28 Jun 2003 12:58:26 -0400 (EDT)
Check the packet contents to make sure that it is not a false positive. Email from the snort-users and snort-sigs mailing lists always triggers this alert on my IDS. Check the source and dest ports, it may be something like source port 110 (if you are using pop3) on your mail server to an unprivladged port on your mail client.
I am fairly new to snort, and I've just begun analyzing my logs. I have my home office network, from which I am writing this post, that is NAT'ed behind an ipchains firewall. This system is: 192.168.123.150 I also have a web/email server hosted by tera-byte.com: 216.234.189.108 Last week I received several of these: 4 216.234.189.108 192.168.123.150 ATTACK RESPONSES id check returned root Now, I have come to realize that this is a dangerous situation. I run chkrootkit daily and have _nothing_ to report. What should I do? -- Best Regards, mds mds resource 877.596.8237 - Dare to fix things before they break . . . - Our capacity for understanding is inversely proportional to how much we think we know. The more I know, the more I know I don't know . . . --
------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100006ave/direct;at.asp_061203_01/01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- id check returned root ?!?! Michael D. Schleif (Jun 28)
- Re: id check returned root ?!?! MH (Jun 28)
- Re: id check returned root ?!?! james (Jun 28)
- Re: id check returned root ?!?! Nicholas Delo (Jun 28)
- Re: id check returned root ?!?! Michael D. Schleif (Jun 28)
- Re: id check returned root ?!?! Frank Knobbe (Jun 28)
- Re: id check returned root ?!?! Michael D. Schleif (Jun 28)
- Re: id check returned root ?!?! Erek Adams (Jun 28)
- Re: id check returned root ?!?! Michael D. Schleif (Jun 28)
- Re: id check returned root ?!?! Erek Adams (Jun 28)
- Re: id check returned root ?!?! Michael D. Schleif (Jun 28)
- Re: id check returned root ?!?! MH (Jun 28)