Snort mailing list archives
RE: ATTACK RESPONSES id check returned root
From: "Semerjian, Ohanes" <Semerjian.Ohanes () wcom com au>
Date: Wed, 9 Oct 2002 07:48:20 +0800
the signature for that alert is defined in ur rules and u don't need to go to google to find out, just edit the rule files. ============================================================================ =============================================== alert tcp any any -> any any (msg:"ATTACK RESPONSES id check returned root"; flags:A+; content: "uid=0(root)"; classtype:bad-unknown ; sid:498; rev:2;) ============================================================================ ================================================ this signature will fire if someone use a root as it check the payload for word " root " account from anywhere to anywhere and that the packet has the ACK flag set. U could fine tune the signature to meet ur requirement and ur interest. Best Regards Ohanes Semerjian PGP kEY 6604 2A46 E64F BEBF A4B7 9D01 9E08 399C 9D45 3254 -----Original Message----- From: Metz, Tim [mailto:TMetz () PanAmSat com] Sent: Wednesday, 9 October 2002 3:49 To: 'Dallas Jordan '; ''Snort-Users (E-mail) ' Subject: RE: [Snort-users] ATTACK RESPONSES id check returned root This also fires when Demarc (Puresecure) transfers rules to remote sensors. Tim -----Original Message----- From: Dallas Jordan To: 'Snort-Users (E-mail) Sent: 10/8/02 10:10 AM Subject: [Snort-users] ATTACK RESPONSES id check returned root Does anyone know what could possibly set this alert off? I have checked Google and didn't come up with anything specific. I have gotten a couple of these this morning and was just wondering what I should be on the lookout for. Thanks for any suggestions. ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- ATTACK RESPONSES id check returned root Dallas Jordan (Oct 08)
- Re: ATTACK RESPONSES id check returned root Chris Green (Oct 08)
- <Possible follow-ups>
- RE: ATTACK RESPONSES id check returned root McCammon, Keith (Oct 08)
- RE: ATTACK RESPONSES id check returned root Metz, Tim (Oct 08)
- RE: ATTACK RESPONSES id check returned root Semerjian, Ohanes (Oct 08)