IDS mailing list archives
RES: snort- problems
From: "Auro Pontes" <seguranca () dgsfactoring com br>
Date: Wed, 6 Aug 2003 15:04:07 -0300
Hello there,
1) I was led to believe that Snort can run on one machine and monitor specific IPs, which I would like to because not all machines on our subnet are part of our office nor are they serially assigned. However, snort is monitoring only the machine that it is installed on. Am i missing something here or do I need another product?
It is important to gather some other information about your network, ie. Is it switched? It seems to me that you have a switched network, in which case you probably will need to assign the "monitor port" to snort.
2) Last night I had a bunch of alerts pop-up which said "ATTACK-RESPONSES id check returned root"; content: "uid=0(root)" Snort's signature database said this was an indication of an attacker gaining super user access to the system and that there are no known false positives. The alert also mentioned that the source for the attacks were port 80 on IPs belonging to websites I had open(Snort and SANS) I ran netstat to check if the ports they were connecting to had established a connection but none of the ports mentioned showed any connections. I also NMAPped the machine and it showed only the expected ports to be open.
These are false positive. This specific rule listens for the string "uid=0", so even this e-mail will probably trigger it because of this statement. Load up the tcpdump log, and you'll probably see the html source code for the SANS and Snort website referencing to the "uid=0" string. Best regards, Auro Pontes DGS Factoring --------------------------------------------------------------------------- Captus Networks - Integrated Intrusion Prevention and Traffic Shaping - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Ensure Reliable Performance of Mission Critical Applications Precisely Define and Implement Network Security and Performance Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us at: http://www.captusnetworks.com/ads/31.htm ---------------------------------------------------------------------------
Current thread:
- RES: snort- problems Auro Pontes (Aug 06)