Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: ATTACK RESPONSES id check returned root

From: "McCammon, Keith" <Keith.McCammon () eadvancemed com>
Date: Tue, 8 Oct 2002 10:35:35 -0400
Any payload that contains the string "uid=0(root)" will cause this to fire.  Most of the times that I've caught it, 
it's been because someone visited a web site with some type of UNIX tutorial, handbook, etc.  That's generally the 
first thing that you want to look for.  


-----Original Message-----
From: Dallas Jordan [mailto:DJordan () sawgrassink com]
Sent: Tuesday, October 08, 2002 10:11 AM
To: 'Snort-Users (E-mail)
Subject: [Snort-users] ATTACK RESPONSES id check returned root


Does anyone know what could possibly set this alert off?  I 
have checked
Google and didn't come up with anything specific.  I have 
gotten a couple of
these this morning and was just wondering what I should be on 
the lookout
for.  Thanks for any suggestions. 


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: