Re: id check returned root ?!?!

[Erek Adams <erek () snort org>]

On Sat, 28 Jun 2003, Michael D. Schleif wrote:

> I am fairly new to snort, and I've just begun analyzing my logs.
>
> I have my home office network, from which I am writing this post, that
> is NAT'ed behind an ipchains firewall.  This system is: 192.168.123.150
>
> I also have a web/email server hosted by tera-byte.com: 216.234.189.108
>
> Last week I received several of these:
>
> 4  216.234.189.108  192.168.123.150  ATTACK RESPONSES id check returned root
>
>
> Now, I have come to realize that this is a dangerous situation.
>
> I run chkrootkit daily and have _nothing_ to report.
>
> What should I do?

Look at the packet not the alert.  From an alert you really can't tell
what happened, only that something did.

If you're logging to binary (pcap) to get the packet it's as simple as:

        snort -dvr <pcap_filename> 'host 216.234.189.108' |less

And that will show you all the packets that it could have been.

Now the fun part:  Figuring out what went on.  :)  You may find out that
this is a normal packet from a webmail application or somehting of the
sort.

If you're not logging to binary, well...  Either start and look at the
packets or 'hope'.  :)

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100006ave/direct;at.asp_061203_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users