Snort mailing list archives
Re: ATTACK-RESPONSES id check returned root
From: sam () neuroflux com
Date: Tue, 30 Dec 2003 15:09:31 -0700 (MST)
Ahh yes, the good ole' Attack Responses id check root. I have never seen an instance of this alert that was NOT a false positive. And almost every time ours would trigger, it would be SMTP based. What happens, in our case, is that we have SysAdmins who are asked, on occasion to email id outputs to support engineers on the other end. This triggers the above rule every single time. You could tune the rule down to *not* look at port 25, but would get the alert anytime went and visited a web site which contained the 'id' output from a Unix page. So, you could tune out port 25 and port 80, but anytime anyone uses Telnet (god forbid), and runs the 'id' command, they are going to trigger the alert. See where I'm goin? There's no real good way for this alert to work. Hope this helps. -Sam
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I just got this alert for our snort sensor. I think that it's a false positive but am not sure how to check and want to see if anyone else has seen this. Both the source and dest. are mail servers. The source is a from a list server that sends a good bit of emails to us and this is the first time that I have seen this alert. The source IP is 131.193.178.160 (stoneport.math.uic.edu - a.mx.cr.yp.to). Any help would be greatly appreciated. Thanks, Chris Romano -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> iQA/AwUBP/H03gvHK4/UMrUIEQIJCgCg9iVJSHV+lry98BnXLgnk+v8MT9wAnRbN Q3+JYVAeh7qpWDZQC2Ern1GO =eFFD -----END PGP SIGNATURE-----
------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- ATTACK-RESPONSES id check returned root Romano, Chris (Dec 30)
- Re: ATTACK-RESPONSES id check returned root sam (Dec 30)