Snort mailing list archives

RE: ATTACK-RESPONSES id check returned userid

From: "Hudak, Tyler" <Tyler.Hudak () roadway com>
Date: Tue, 17 Jun 2003 10:48:51 -0400

You get this alert because on the website is the string "uid=x gid=y", where
x and y are numbers less than 65537.  This usually occurs on a UNIX system
when someone runs the "id" command.

I surfed that site for a while and didn't generate an alert for that
signature.  Is there a specific URL on the site that does it?

Tyler

--------------

Date: Tue, 17 Jun 2003 11:34:50 +0200
From: Roelf Schreurs <rosc () imc nl>
To: snort-users () lists sourceforge net
Subject: [Snort-users] ATTACK-RESPONSES id check returned userid

Hi

When we connect to one specific website, www.marca.com, I get a lot of
alerts.
The source adress is my NAT'ed address and the destination is the IP of
this website.

Can somebody please explain why I get this as an alert.

Thanks

ID              = #0-(1-355)
SIGNATURE       = ATTACK-RESPONSES id check returned userid     
TIMESTAMP       = 2003-06-17 09:30:34
SOURCE IP       = $MY_NAT_IP:57967      
DEST IP         = 212.80.128.10:80
LAYER 4 PROTO   = TCP


-- 
Roelf

Current thread:

ATTACK-RESPONSES id check returned userid Charles Douvier (Jun 06)
- Re: ATTACK-RESPONSES id check returned userid Edin Dizdarevic (Jun 06)
- <Possible follow-ups>
- ATTACK-RESPONSES id check returned userid Roelf Schreurs (Jun 17)
- RE: ATTACK-RESPONSES id check returned userid Hudak, Tyler (Jun 17)