Snort mailing list archives
RE: ATTACK-RESPONSES id check returned userid
From: "Hudak, Tyler" <Tyler.Hudak () roadway com>
Date: Tue, 17 Jun 2003 10:48:51 -0400
You get this alert because on the website is the string "uid=x gid=y", where x and y are numbers less than 65537. This usually occurs on a UNIX system when someone runs the "id" command. I surfed that site for a while and didn't generate an alert for that signature. Is there a specific URL on the site that does it? Tyler -------------- Date: Tue, 17 Jun 2003 11:34:50 +0200 From: Roelf Schreurs <rosc () imc nl> To: snort-users () lists sourceforge net Subject: [Snort-users] ATTACK-RESPONSES id check returned userid Hi When we connect to one specific website, www.marca.com, I get a lot of alerts. The source adress is my NAT'ed address and the destination is the IP of this website. Can somebody please explain why I get this as an alert. Thanks ID = #0-(1-355) SIGNATURE = ATTACK-RESPONSES id check returned userid TIMESTAMP = 2003-06-17 09:30:34 SOURCE IP = $MY_NAT_IP:57967 DEST IP = 212.80.128.10:80 LAYER 4 PROTO = TCP -- Roelf
Current thread:
- ATTACK-RESPONSES id check returned userid Charles Douvier (Jun 06)
- Re: ATTACK-RESPONSES id check returned userid Edin Dizdarevic (Jun 06)
- <Possible follow-ups>
- ATTACK-RESPONSES id check returned userid Roelf Schreurs (Jun 17)
- RE: ATTACK-RESPONSES id check returned userid Hudak, Tyler (Jun 17)