IDS mailing list archives

Previous By Date Next
Previous By Thread Next

RES: snort- problems

From: "Auro Pontes" <seguranca () dgsfactoring com br>
Date: Wed, 6 Aug 2003 15:04:07 -0300
Hello there,

 

1) I was led to believe that Snort can run on one machine and 
monitor specific IPs, which I would like to because not all 
machines on our subnet are part of our office nor are they 
serially assigned. However, snort is monitoring only the 
machine that it is installed on. Am i missing something here 
or do I need another product?


It is important to gather some other information about your network, ie. Is
it switched?

It seems to me that you have a switched network, in which case you probably
will need to
assign the "monitor port" to snort.

 

2) Last night I had a bunch of alerts pop-up which said 
"ATTACK-RESPONSES id check returned root"; content: 
"uid=0(root)" Snort's signature database said this was an 
indication of an attacker gaining super user access to the 
system and that there are no known false positives. The alert 
also mentioned that the source for the attacks were port 80 
on IPs belonging to websites I had open(Snort and
SANS) I ran netstat to check if the ports they were 
connecting to had established a connection but none of the 
ports mentioned showed any connections. I also NMAPped the 
machine and it showed only the expected ports to be open.


These are false positive. This specific rule listens for the string "uid=0",
so even this e-mail will probably trigger it because of this statement.

Load up the tcpdump log, and you'll probably see the html source code for
the SANS and Snort website referencing to the "uid=0" string.


Best regards,

Auro Pontes
DGS Factoring




---------------------------------------------------------------------------
Captus Networks - Integrated Intrusion Prevention and Traffic Shaping
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Automatically Control P2P, IM and Spam Traffic
 - Ensure Reliable Performance of Mission Critical Applications
Precisely Define and Implement Network Security and Performance Policies
**FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
Visit us at: http://www.captusnetworks.com/ads/31.htm
---------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: