Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Rules question

From: Matt Kettler <mkettler () evi-inc com>
Date: Thu, 14 Feb 2002 12:22:11 -0500
I would not jump to the conclusion that it is likely someone running an ID check that cause this. It should be investigated, but looking at the rule it is going to be very prone to false alerts. 

Look at the rule:
attack-responses.rules:alert tcp any any -> any any (msg:"ATTACK RESPONSES id check returned root"; flags:A+; content: "uid=0***(root)"; classtype:bad-unknown; sid:498; re 
v:2;)
(I inserted *** in the content section, otherwise this very email will set off the rule)
So any TCP connection, in any direction, which is connected and has that text string in it will trigger. 

So text downloading the rules file in uncompressed form will trigger it.
Emails quoting the rule will trigger it (unless modified like this one)
Some OS install/setup/security discussions on websites, email and news will set it off..
Try doing a google on the text string (minus the ***'s) , see just how many websites and news posts out there contain that string.. (I got aprox 4,430 website hits and 1,340 usenet news hits for that search). Be aware that the search itself will set the rule off as well. I triggered the rule 4 times doing the search and looking at one of the websites.
I'd look closely at what triggered the alert, if it looks like the machine on your end is not a *nix box, the outside end is almost certainly a news, web or mailserver and the alert is a false one. If the machine on your end is a *nix box, I'd check to see if it was knocked over, but be aware that it may be a false alarm.
The rule is attempting to catch the output of someone running the *nix "id" command and got back a result indicating they are the root user.
Sample output for a non-root user (I've modified the numbers/usernames a bit, but the output format is valid): 

bash$ id
uid=2105(m_kettler) gid=2105 groups=2105
bash$


At 10:21 AM 2/14/2002 +0100, Poppi, Sandro wrote:

Seems that someone did the command id which results that she/he has uid 0
which in turn is root. I would strongly suggest investigating this incident
further!

Servus,
Sandro

> -----Ursprüngliche Nachricht-----
> Von: Bastian Ballmann [mailto:ballmann () co-de de]
> Gesendet: Donnerstag, 14. Februar 2002 10:08
> An: snort-users () lists sourceforge net
> Betreff: [Snort-users] Rules question
>
>
> Hi @ll!!! =)
> Could anyone explain to me what this log entry should tell me?
>
> "ATTACK RESPONSES id check returned root [Classification:
> Potentially Bad
> Traffic   Priority: 2]"
>
> Thanks in advance!
> Greets
>
> Bastian Ballmann
> --



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: