Re: id check returned root ?!?!

["Nicholas Delo" <ndelo () limcollege edu>]

Check the packet contents to make sure that it is not a false positive.
Email from the snort-users and snort-sigs mailing lists always triggers
this alert on my IDS. Check the source and dest ports, it may be something
like source port 110 (if you are using pop3) on your mail server to an
unprivladged port on your mail client.

> I am fairly new to snort, and I've just begun analyzing my logs.
>
> I have my home office network, from which I am writing this post, that
> is NAT'ed behind an ipchains firewall.  This system is: 192.168.123.150
>
> I also have a web/email server hosted by tera-byte.com: 216.234.189.108
>
> Last week I received several of these:
>
> 4  216.234.189.108  192.168.123.150  ATTACK RESPONSES id check returned
> root
>
>
> Now, I have come to realize that this is a dangerous situation.
>
> I run chkrootkit daily and have _nothing_ to report.
>
> What should I do?
>
> --
> Best Regards,
>
> mds
> mds resource
> 877.596.8237
> -
> Dare to fix things before they break . . .
> -
> Our capacity for understanding is inversely proportional to how much we
> think we know.  The more I know, the more I know I don't know . . . --





-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100006ave/direct;at.asp_061203_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users