IDS mailing list archives

Re: snort- problems

From: Alfredo Octavio <aov () primeordeal com>
Date: Wed, 6 Aug 2003 13:59:44 -0400

There is an obvious false positive, it is when a user or a programissues an id command, if you are using Mac OS X and do not have rootactivated (which you shouldn't), then you can safely ignored thisalerts.About your other problem I am not sure. Normal snort configurationshould be scanning your whole subnet. There must be something in thenetwork config (a blocked switch?) not permitting it...

Ciao,
aov

On Wednesday, August 6, 2003, at 10:52  AM, Rishi Pande wrote:

2) Last night I had a bunch of alerts pop-up which said
"ATTACK-RESPONSES id check returned root"; content: "uid=0(root)"
Snort's signature database said this was an indication of an attacker
gaining super user access to the system and that there are no known
false positives. The alert also mentioned that the source for the
attacks were port 80 on IPs belonging to websites I had open(Snort and
SANS) I ran netstat to check if the ports they were connecting to had
established a connection but none of the ports mentioned showed any
connections. I also NMAPped the machine and it showed only the expected
ports to be open.

----

You probably wouldn't worry about what people think of you if you couldknow how seldom they do.

 - Olin Miller
----
Alfredo Octavio                                         
PGP Key ID: 0x6531FC6D
mailto: alfredo () octavio net
http://alfredo.octavio.net/             
At: N    10˚29.809', W 066˚49.480'
-----


---------------------------------------------------------------------------
Captus Networks - Integrated Intrusion Prevention and Traffic Shaping
- Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
- Automatically Control P2P, IM and Spam Traffic
- Ensure Reliable Performance of Mission Critical Applications
Precisely Define and Implement Network Security and Performance Policies
**FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
Visit us at: http://www.captusnetworks.com/ads/31.htm
---------------------------------------------------------------------------

Current thread:

snort- problems Rishi Pande (Aug 06)
- Re: snort- problems Alfredo Octavio (Aug 06)
- <Possible follow-ups>
- RE: snort- problems Evans, Arian (Aug 06)