Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ATTACK-RESPONSES id check returned root

From: sam () neuroflux com
Date: Tue, 30 Dec 2003 15:09:31 -0700 (MST)
Ahh yes, the good ole' Attack Responses id check root.  I have never seen
an instance of this alert that was NOT a false positive.  And almost every
time ours would trigger, it would be SMTP based.

What happens, in our case, is that we have SysAdmins who are asked, on
occasion to email id outputs to support engineers on the other end.  This
triggers the above rule every single time.

You could tune the rule down to *not* look at port 25, but would get the
alert anytime went and visited a web site which contained the 'id' output
from a Unix page.

So, you could tune out port 25 and port 80, but anytime anyone uses Telnet
(god forbid), and runs the 'id' command, they are going to trigger the
alert.

See where I'm goin?  There's no real good way for this alert to work.

Hope this helps.

-Sam



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I just got this alert for our snort sensor.  I think that it's a false
positive but am not sure how to check and want to see if anyone else has
seen this.  Both the source and dest. are mail servers. The source is a
from a list server that sends a good bit of emails to us and this is the
first time that I have seen this alert.  The source IP is 131.193.178.160
(stoneport.math.uic.edu - a.mx.cr.yp.to).  Any help would be greatly
appreciated.

Thanks,

Chris Romano

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBP/H03gvHK4/UMrUIEQIJCgCg9iVJSHV+lry98BnXLgnk+v8MT9wAnRbN
Q3+JYVAeh7qpWDZQC2Ern1GO
=eFFD
-----END PGP SIGNATURE-----





-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: