Re: [Snort-sigs] Problems with SID 498: ATTACK RESPONSES id check returned root

Sam Evans <sam@neuroflux.com> writes:

> We have been experiencing quite a few false positives with this particular
> rule. Things like support pages that contain the content trigger will
> fire this rule off as well as support emails.
>
> I'd like to purpose the following change to the signature:

> after:
> alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"ATTACK RESPONSES id
> check returned root"; content: "uid=0(root)"; classtyp
> e:bad-unknown; sid:498; rev:3;)
>
> What this would do is trigger the alert anytime someone from the OUTSIDE
> received the phrase uid=0(root) that was source from a server on your home
> net. Thus indicating that someone on the outside has root privs. on a box
> in your network.
>
> Thoughts?

I'd agree. The time this comes in handy however is when someone compromises a local machine and then starts rooting external machines. I used to run a lot of outgoing type rules to catch this type of traffic when I did deployments.

Has this rule ever helped anyone out being defined like it is in catching a machine rooting external entities?

-- 
Chris Green 
To err is human, to moo bovine.


-------------------------------------------------------
This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger 
for complex code. Debugging C/C++ programs can leave you feeling lost and 
disoriented. TotalView can help you find your way. Available on major UNIX 
and Linux platforms. Try it free. www.etnus.com
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs